From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: "Stephen J. Turnbull" Newsgroups: gmane.emacs.devel Subject: Re: POP3 password in plaintext? Date: Wed, 01 Oct 2014 13:00:56 +0900 Message-ID: <87ppecv3pj.fsf@uwakimon.sk.tsukuba.ac.jp> References: <878ul1x4kw.fsf@uwakimon.sk.tsukuba.ac.jp> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 X-Trace: ger.gmane.org 1412136085 19020 80.91.229.3 (1 Oct 2014 04:01:25 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Wed, 1 Oct 2014 04:01:25 +0000 (UTC) Cc: emacs-devel@gnu.org To: rms@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Oct 01 06:01:18 2014 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1XZB6L-0007b0-13 for ged-emacs-devel@m.gmane.org; Wed, 01 Oct 2014 06:01:17 +0200 Original-Received: from localhost ([::1]:47632 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XZB6K-0000sO-Mg for ged-emacs-devel@m.gmane.org; Wed, 01 Oct 2014 00:01:16 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:39330) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XZB6A-0000sE-Mk for emacs-devel@gnu.org; Wed, 01 Oct 2014 00:01:14 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XZB63-0005DC-77 for emacs-devel@gnu.org; Wed, 01 Oct 2014 00:01:06 -0400 Original-Received: from shako.sk.tsukuba.ac.jp ([130.158.97.161]:57050) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XZB62-0005D4-TC; Wed, 01 Oct 2014 00:00:59 -0400 Original-Received: from uwakimon.sk.tsukuba.ac.jp (uwakimon.sk.tsukuba.ac.jp [130.158.99.156]) by shako.sk.tsukuba.ac.jp (Postfix) with ESMTP id 1E9501C39B3; Wed, 1 Oct 2014 13:00:57 +0900 (JST) Original-Received: by uwakimon.sk.tsukuba.ac.jp (Postfix, from userid 1000) id 135831A2697; Wed, 1 Oct 2014 13:00:57 +0900 (JST) In-Reply-To: X-Mailer: VM undefined under 21.5 (beta34) "kale" acf1c26e3019 XEmacs Lucid (x86_64-unknown-linux) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 130.158.97.161 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:174897 Archived-At: Richard Stallman writes: > These points seem to conflict. First, there is no protection. > Second, there is protection: use TLS for this communication. Not at all. If the server provides TLS, there is protection, and both modern servers and Emacs (at least Gnus and probably RMail according to larsi, but I don't think VM does) are able to use STARTTLS to convert an unencrypted channel to an encrypted one, *before* the password is sent. But even today not all servers provide TLS, and of those that do, some accept unencrypted connections but don't use STARTTLS. The user can do nothing about that; it requires reconfiguration and possibly upgrading software on the server. All Emacs can do is warn the user. I liked Ted's suggestion about providing modeline indicators. However, a lot of HCI research shows that users don't notice such indicators and often misinterpret them. While Emacs users are generally more aware of such indicators and of their correct interpretation, I think something like the "novice" feature to provide an easily disabled "in your face" warning about unencrypted channels should be considered. It's not clear to me that there's a good way to do it. Perhaps having the `password-read' function (and any other functions that are used to read passwords) check for unencrypted connections and warn the user would work. Regards,