From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: "Stephen J. Turnbull" Newsgroups: gmane.emacs.devel Subject: POP3 password in plaintext? Date: Tue, 30 Sep 2014 10:46:55 +0900 Message-ID: <878ul1x4kw.fsf@uwakimon.sk.tsukuba.ac.jp> References: NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 X-Trace: ger.gmane.org 1412041643 13963 80.91.229.3 (30 Sep 2014 01:47:23 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 30 Sep 2014 01:47:23 +0000 (UTC) Cc: emacs-devel@gnu.org To: rms@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Sep 30 03:47:17 2014 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1XYmX6-0000CI-L3 for ged-emacs-devel@m.gmane.org; Tue, 30 Sep 2014 03:47:16 +0200 Original-Received: from localhost ([::1]:40043 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XYmX6-0004hH-AS for ged-emacs-devel@m.gmane.org; Mon, 29 Sep 2014 21:47:16 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:41677) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XYmWx-0004gy-UA for emacs-devel@gnu.org; Mon, 29 Sep 2014 21:47:13 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XYmWs-0006fo-AH for emacs-devel@gnu.org; Mon, 29 Sep 2014 21:47:07 -0400 Original-Received: from shako.sk.tsukuba.ac.jp ([130.158.97.161]:46773) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XYmWs-0006fC-0K; Mon, 29 Sep 2014 21:47:02 -0400 Original-Received: from uwakimon.sk.tsukuba.ac.jp (uwakimon.sk.tsukuba.ac.jp [130.158.99.156]) by shako.sk.tsukuba.ac.jp (Postfix) with ESMTP id ACAD91C3978; Tue, 30 Sep 2014 10:46:55 +0900 (JST) Original-Received: by uwakimon.sk.tsukuba.ac.jp (Postfix, from userid 1000) id A09171A2697; Tue, 30 Sep 2014 10:46:55 +0900 (JST) In-Reply-To: X-Mailer: VM undefined under 21.5 (beta34) "kale" acf1c26e3019 XEmacs Lucid (x86_64-unknown-linux) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 130.158.97.161 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:174823 Archived-At: Richard Stallman writes: > [A source] says that POP3 passwords are sometimes transmitted in > plain text. > > Is plaintext transmission of passwords inherent in POP3 > or is it optional? It's inherent. There are other related protocols which purport to give more security, but AFAIK they're all susceptible to man in the middle attacks[1], which is why they haven't superseded POP3. > Is there something we can and should do to encourage users to stop > the plaintext transmission of their POP3 passwords? There's not much users can do. In most cases their mailboxes are on heavily defended, trusted systems (from the users' point of view, I know you worry about the reliability of the administrators), so the normal approach to this problem is to use TLS to protect the channel from snooping. If a virus has installed a keyboard snooper on your machine, it reads the password as you type. If the admins on the mail host want to read your mail, they can do so -- they have root. IMAP4 may be more secure by default, I forget the details about IMAP. I suppose you could add a "nanny mode" to Emacs POP clients to tell the users that they're using an insecure channel if they POP3 to port 110 instead of 995 (the latter is the IANA-registered port for POP3 over TLS). For those who care, there's a overview of POP3 here: http://tools.ietf.org/html/rfc1939#page-3 More options for authentication here: http://tools.ietf.org/html/rfc1734 These are very old RFCs (RFC 1939 is dated May 1996). Footnotes: [1] Eg, APOP uses MD5 plus a plain-text session salt transmitted in-band to encrypt the password, which is easily breakable offline with brute force attack for typical password lengths, and requires that the server store the password for comparison of the hashes.