On Sun, Mar 18, 2001 at 04:59:23AM -0900, Ethan Benson wrote: > On Sun, Mar 18, 2001 at 03:38:36PM +0100, William Leese wrote: > > Having a cable modem I'm concerned with the fact that when I use email my > > password is sent in clear text over the network. I've heard that there were > > as you should be, cable modems generally are equivilent to large > unswitched lans, which means any bozo with a cable modem can set thier > machine to primisquous mode and see every packet sent by any cable > modem user. (at least for that segment)
Bzzzt. This is simply not true with DOCSIS modems (if you can cite a provable example I'd love to hear about it). It's also not true with LANCity Gen3 modems at least. It might work with the super-old Zenith stuff but I don't know anyone sane using that. (My prior employer still is in one market :/ ) Cable modems act as a layer-2 bridge. To prevent the sniffing problem you are talking about, each modem is programmed to proxy arp a finite number of MAC addresses (usually one). So, unless you are a technical wizard and have access to documentation that the manufacturers won't even give the cable companies, you are SOL if you want to sniff your neighbors. When I worked for a cable provider, I wanted a sniffer so we could troubleshoot. Obviously I needed a modem that could be set to "promiscuous" mode. The official word was it couldn't be done. I was unofficially informed that it could be done but the manufacturer didn't plan on that software ever leaving the factory. > > other services that could be used instead of POP but i'm not sure if that > > can > > be used here if my provider doesnt support it. > > imap over ssl maybe.. Some providers support POP over SSL. Usually that implies a clueful provider, and, well, we're talking about cable companies :) > > For my email I use my providers POP server. For sending email I also use > > their server. Though in the past I used sendmail, can someone tell me the > > advantages of using one over the other? > > if you have a static ip and your connection is actually stable you > could just run your own mailserver and have mail delivered directly to > it. that way you don't need pop3 or imap. no passwords sent anywhere > that way. you still need to use GnuPG to encrypt any mail you don't > want everyone seeing but you should do that regardless of your network > connection. Except you now risk running afoul of the DUL. > > Also, if there any way I can encrypt the passwords being sent without the > > provider taking any needed steps to enable me to do so? > > only if you have a shell account on thier pop3 server via ssh, then > you can tunnel the pop3 connection over ssh. if you have a shell > account on any of thier machines that would probably still be an > improvment since you would get the connection encrypted at least into > thier hopefully switched and secure lan and off the insecure cable > modem network. > > unfortunatly there seems to be a law saying all ISPs must suck, and > thus shell access is an endangered species. along with static ips, > reliability, security, etc etc.... Can't argue with that. The sad thing is, a "geek oriented" ISP wouldn't necessarily get very far; the mass horde is fairly happy with the crap they've got. Cheers, -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton
pgpHqx5gcxiaE.pgp
Description: PGP signature
