From: "Stephen J. Turnbull" <stephen@xemacs.org>
To: rms@gnu.org
Cc: emacs-devel@gnu.org
Subject: Re: POP3 password in plaintext?
Date: Wed, 01 Oct 2014 13:00:56 +0900 [thread overview]
Message-ID: <87ppecv3pj.fsf@uwakimon.sk.tsukuba.ac.jp> (raw)
In-Reply-To: <E1XZ31P-0005e2-V1@fencepost.gnu.org>
Richard Stallman writes:
> These points seem to conflict. First, there is no protection.
> Second, there is protection: use TLS for this communication.
Not at all. If the server provides TLS, there is protection, and both
modern servers and Emacs (at least Gnus and probably RMail according
to larsi, but I don't think VM does) are able to use STARTTLS to
convert an unencrypted channel to an encrypted one, *before* the
password is sent.
But even today not all servers provide TLS, and of those that do, some
accept unencrypted connections but don't use STARTTLS. The user can
do nothing about that; it requires reconfiguration and possibly
upgrading software on the server. All Emacs can do is warn the user.
I liked Ted's suggestion about providing modeline indicators.
However, a lot of HCI research shows that users don't notice such
indicators and often misinterpret them. While Emacs users are
generally more aware of such indicators and of their correct
interpretation, I think something like the "novice" feature to provide
an easily disabled "in your face" warning about unencrypted channels
should be considered.
It's not clear to me that there's a good way to do it. Perhaps having
the `password-read' function (and any other functions that are used to
read passwords) check for unencrypted connections and warn the user
would work.
Regards,
next prev parent reply other threads:[~2014-10-01 4:00 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-29 20:49 POP3 password in plaintext? Richard Stallman
2014-09-30 1:46 ` Stephen J. Turnbull
2014-09-30 13:31 ` Ted Zlatanov
2014-09-30 19:23 ` Richard Stallman
2014-10-01 4:00 ` Stephen J. Turnbull [this message]
2014-10-01 5:33 ` David Kastrup
2014-10-01 12:54 ` Richard Stallman
2014-10-01 13:15 ` David Kastrup
2014-10-01 17:56 ` David Caldwell
2014-10-01 5:42 ` David Caldwell
2014-10-01 13:22 ` Ted Zlatanov
2014-10-02 1:58 ` Stephen J. Turnbull
2014-10-02 17:04 ` Ted Zlatanov
2014-10-03 10:54 ` Stephen J. Turnbull
2014-10-01 13:48 ` Stefan Monnier
2014-10-01 14:02 ` Lars Magne Ingebrigtsen
2014-10-01 14:37 ` Stefan Monnier
2014-10-01 23:29 ` Ted Zlatanov
2014-09-30 14:17 ` Lars Magne Ingebrigtsen
2014-09-30 19:25 ` Richard Stallman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ppecv3pj.fsf@uwakimon.sk.tsukuba.ac.jp \
--to=stephen@xemacs.org \
--cc=emacs-devel@gnu.org \
--cc=rms@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).