POP3 password in plaintext?

["Stephen J. Turnbull" <stephen@xemacs.org>]

Richard Stallman writes:

 > [A source] says that POP3 passwords are sometimes transmitted in
 > plain text.
 > 
 > Is plaintext transmission of passwords inherent in POP3
 > or is it optional?

It's inherent.  There are other related protocols which purport to
give more security, but AFAIK they're all susceptible to man in the
middle attacks[1], which is why they haven't superseded POP3.

 > Is there something we can and should do to encourage users to stop
 > the plaintext transmission of their POP3 passwords?

There's not much users can do.

In most cases their mailboxes are on heavily defended, trusted systems
(from the users' point of view, I know you worry about the reliability
of the administrators), so the normal approach to this problem is to
use TLS to protect the channel from snooping.  If a virus has
installed a keyboard snooper on your machine, it reads the password as
you type.  If the admins on the mail host want to read your mail, they
can do so -- they have root.

IMAP4 may be more secure by default, I forget the details about IMAP.
I suppose you could add a "nanny mode" to Emacs POP clients to tell
the users that they're using an insecure channel if they POP3 to port
110 instead of 995 (the latter is the IANA-registered port for POP3
over TLS).

For those who care, there's a overview of POP3 here:
http://tools.ietf.org/html/rfc1939#page-3

More options for authentication here:
http://tools.ietf.org/html/rfc1734

These are very old RFCs (RFC 1939 is dated May 1996).



Footnotes: 
[1]  Eg, APOP uses MD5 plus a plain-text session salt transmitted
in-band to encrypt the password, which is easily breakable offline
with brute force attack for typical password lengths, and requires
that the server store the password for comparison of the hashes.