Jonathan Ben-Avraham <[EMAIL PROTECTED]> wrote:
> > Theoretically speaking, as far as an email service(s) is concerned, one
> > shouldn't worry about (1), given that (2) is satisfied. Indeed, what would a
> > snooper do with one's email (== imap or pop) password? Only read his emails,
> > but since the email is relayed over the Internet in plain text, it doesn't
> > matter anyway. Or, putting it other way around, if you want privacy, use
> > pgp/gpg, and your correspondence will remain private whether the imap/pop
> > password is guessed or not. For the same reason, (3) isn't worth tinkering
> > with either (again, talking about email).
>
> Not so! What about a denial of service attack - someone who selectively
> deletes emails from your mailbox so that you miss an opportunity?
Of course. But since securing a system is a never-ending task anyway, this should
be considered taking into account priorities. I, for one, wouldn't consider this
variant probable - it's just too dumb and not interesting for a cracker - compare
it with such niceties as formatting a whole disk or, better, putting a photo of a
naked girl instead of the company's logo on the home page. Also, if the cracker
does it periodically, he/she can be easily tracked down. If it happens only once -
well, there are other (practically uncontrollable) things with similar effect -
hard disk crash, bug in qpopper itself causing spool corruption (was up to 2.50, I
think), spool corruption due to simultaneous accesses via NFS (NFS-mounted
/var/spool/mail is still used in a lot of places) etc.
> The simple solution is APOP, as you indicate below.
Which is, unfortunately, not simple at all if, say, your manager insists on the MS
Out-of-luck as a "standard enterprise" email solution. If APOP (or KPOP) _can_ be a
solution, then of course, it should be implemented and enforced.
Regards,
Evgeny
--
____________________________________________________________
/ Evgeny Stambulchik <[EMAIL PROTECTED]> \
/ Plasma Laboratory, Weizmann Institute of Science, Israel \ \
| Phone : (972)8-934-3610 == | == FAX : (972)8-934-3491 | |
| URL : http://plasma-gate.weizmann.ac.il/~fnevgeny/ | |
| Finger for PGP key >=====================================+ |
|______________________________________________________________|
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
