Re: POP3 Security Issues

[Jason Axley <jason.axley () attws com>]

On 30 Nov, Rick Smith wrote:
> At 11:43 AM 11/27/98 -0800, Jason Axley wrote:
> > There isn't any security in POP3.  Unless you are using POP3 over SSL to
> > encrypt the data, 
>
> I like the idea of using SSL, and I can see how it would be a pretty simple
> rearrangement of software already available in today's bloated browser/mail
> reader products. But is this something that's really out there as a
> product, or do people have to roll their own?
>
> Rick.
> smith () securecomputing com

Netscape and IE (outlook express) already support IMAP and POP over
SSL.  Both the windoze and UNIX versions can do this.  M$ exchange 5 can
support pop and imap, over SSL even (although I'm sure that most people
don't use this functionality).

As for Nicholas Brawn's question about other clients (including
fetchmail), I don't know of any, but I haven't looked.  Did you roll
the SSL into qpopper yourself, or are patches readily available for
that?  Does it use SSLeay?  I'm interested!

For those who think that APOP solves the problem; it may solve the
password in the clear problem, but it still allows your company's
private emails to go across the public Internet in the clear and still
allows for your TCP session to be hijacked--two problems solved by SSL.
APOP isn't even supported by the Netscape messenger email client
(don't think by outlook express either).  Eudora may be the only
widely-used client that does (although you can't get it for free like
outlook express or Netscape messenger, can you?)

-Jason

-- 

AT&T Wireless Services
IT UNIX Security Operations Specialist