hardigunawan
04-10-2001, 12:29 AM
So it pop3 secure enough that I can let anyone on the internet to login?
Click to See Complete Forum and Search --> : pop3 secure?
Craig McPherson
04-10-2001, 03:50 AM
Well, that depends on what FTP daemon you're using, but the answer is a firm, resounding "hopefully". I've heard about almost no POP3-based expl0its, so I wouldn't be terribly concerned. Of course, you'll need to educate your users that anyone who guesses or obtains their password will be able to download their e-mail, and instruct them on picking strong passwords. Even when you don't have to worry too much about security flaws and exploits in the program, you still have to worry about the front door.
Another concern, if you're moderately paranoid about security, is the plaintext passwords issue. I've never been too keen on worrying about this, because I really doubt the mega-ISPs and Internet backbones your data travels through are staffed by scr1pt k1dd1ez running p4ssw0rd-sn1ff3rz on those networks, but it's within the realm of possibility that someone could sniff a password along the way. If your machine allows outside telnet access (bad) or password-based SSH access (just as bad), the scr1pt k1dd1e could then use the stolen password to log in through those services. There are various encryption protocols supported for encryping passwords over POP3, but I'm not really versed in them, and you'd have to make sure your server and all your clients supported the one you wanted to use.
A lot of people and companies are going with web-based mail checkers now, a la Hotmail, so that people can check their mail from anywhere without using the need to configure a POP3 client. Some of these use HTTPS, so that plaintext passwords are not a problem.
I use Neomail, which is very nice, polished, and featurefull, and even very non-technical endusers can learn to use it with minimal training. Anybody who's used Hotmail or Yahoo or anything like that will be able to master it quickly. Neomail does not use HTTPS, so (AFAIK) passwords are sent plaintext, but a normal POP3 password sniffer wouldn't pick it up, only a sniffer designed specificaly to sniff passwords in a Neomail session, and if those exist they're extremely less common.
Another concern, if you're moderately paranoid about security, is the plaintext passwords issue. I've never been too keen on worrying about this, because I really doubt the mega-ISPs and Internet backbones your data travels through are staffed by scr1pt k1dd1ez running p4ssw0rd-sn1ff3rz on those networks, but it's within the realm of possibility that someone could sniff a password along the way. If your machine allows outside telnet access (bad) or password-based SSH access (just as bad), the scr1pt k1dd1e could then use the stolen password to log in through those services. There are various encryption protocols supported for encryping passwords over POP3, but I'm not really versed in them, and you'd have to make sure your server and all your clients supported the one you wanted to use.
A lot of people and companies are going with web-based mail checkers now, a la Hotmail, so that people can check their mail from anywhere without using the need to configure a POP3 client. Some of these use HTTPS, so that plaintext passwords are not a problem.
I use Neomail, which is very nice, polished, and featurefull, and even very non-technical endusers can learn to use it with minimal training. Anybody who's used Hotmail or Yahoo or anything like that will be able to master it quickly. Neomail does not use HTTPS, so (AFAIK) passwords are sent plaintext, but a normal POP3 password sniffer wouldn't pick it up, only a sniffer designed specificaly to sniff passwords in a Neomail session, and if those exist they're extremely less common.
freebsd
04-10-2001, 05:00 AM
POP3 protocol is insecure. You may try POP3 over SSL -> http://www.inter7.com/courierimap/ or http://www.stunnel.org/
BigBlockMopar
04-14-2001, 04:27 PM
Yeah, suggestion if you want to use POP3 over across the Internet (as opposed to across your home LAN).
The biggest danger with POP3 is probably the *frequency* with which your users will be sending it across the Internet. If Eudora is set to check mail every 5 minutes, then that user's name and password will be whipping across the 'Net every 5 minutes. In plain text. This makes it fairly likely that if there is a leet haxor sniffing for a few minutes, he's gonna find you.
So, if you have any other services with that allow remote logins - telnet, FTP, etc. - then make *sure* that the POP user and password combination won't work for those other things.
I have a 17 user LAN that I run at work. Out of those 17 of us, there are no more than 2 of us who have any need to ever log into the system remotely.
First thing is that for every record in the /etc/passwd file, I set it up so that the default shell was /sbin/nologin. This means that even if they get a password and a username by POP-sniffing, it'll still be useless for doing more than reading that user's mail. Bad, but not a rooted box.
Next thing I did was created bizarre usernames for my assistant and I. This way, someone who gets the bright idea of seeing that there's an e-mail address of "myname@mydomain.com" won't have the username "myname" with which to start cracking passwords. Of course he will, but there'll be no shell for him if he gets in.
And for the remote login usernames and passwords, /etc/aliases is set up to automatically forward those to our real e-mail addresses, so that if we do something that generates e-mail within the system, we still get it. And we never defeat the purpose of the whole exercise by running a POP mail client on our login usernames.
Why go to all this trouble?
The only 100% effective firewall is the one that is implemented with scissors. Everything else is just about making life tougher for someone who wants into your system.
The biggest danger with POP3 is probably the *frequency* with which your users will be sending it across the Internet. If Eudora is set to check mail every 5 minutes, then that user's name and password will be whipping across the 'Net every 5 minutes. In plain text. This makes it fairly likely that if there is a leet haxor sniffing for a few minutes, he's gonna find you.
So, if you have any other services with that allow remote logins - telnet, FTP, etc. - then make *sure* that the POP user and password combination won't work for those other things.
I have a 17 user LAN that I run at work. Out of those 17 of us, there are no more than 2 of us who have any need to ever log into the system remotely.
First thing is that for every record in the /etc/passwd file, I set it up so that the default shell was /sbin/nologin. This means that even if they get a password and a username by POP-sniffing, it'll still be useless for doing more than reading that user's mail. Bad, but not a rooted box.
Next thing I did was created bizarre usernames for my assistant and I. This way, someone who gets the bright idea of seeing that there's an e-mail address of "myname@mydomain.com" won't have the username "myname" with which to start cracking passwords. Of course he will, but there'll be no shell for him if he gets in.
And for the remote login usernames and passwords, /etc/aliases is set up to automatically forward those to our real e-mail addresses, so that if we do something that generates e-mail within the system, we still get it. And we never defeat the purpose of the whole exercise by running a POP mail client on our login usernames.
Why go to all this trouble?
The only 100% effective firewall is the one that is implemented with scissors. Everything else is just about making life tougher for someone who wants into your system.
Ryeker
04-15-2001, 09:10 PM
Craig, on the Neomail mailing list, they suggested that you just run all of Neomail over HTTPS. It wouldn't be too difficult to link the login screen to HTTPS and then redirect out of HTTPS. Yahoo mail does that.
Craig McPherson
04-21-2001, 08:15 PM
Okay, I didn't know about that. I've never played with HTTPS, but I'll give that a try. Thanks for the suggestion.
justlinux.com
Copyright Internet.com Inc. All Rights Reserved.
Copyright Internet.com Inc. All Rights Reserved.