On Thu, Dec 09, 1999 at 08:58:16PM -0500, Jason Costomiris wrote:
> On Thu, Dec 09, 1999 at 08:50:27PM -0500, Michael H. Warfield wrote:
> : I don't agree that you have to store the passwords on the server
> : in clear text. I've got one server with APOP configured and it stores
> : hashes. They are different hashes from the normal password hashes, so
> : you have to have a different database for APOP, but it's not storing clear
> : text passwords. Administratively it really sucks to maintain the separate
> : password databases and changing passwords is a royal hassle.
> APOP by nature requires you to have clear passwords on the server side.
> The container isn't necessarily a text file, but they passwords have to be
> clear, otherwise when you MD5() them, you won't get the proper result..
> Qpopper stores them inside a dbm database.
Hmmm... So it does... Just jumped into the Fetchmail sources and
looked over the algorithm. Well that just blows goats. Trades security
on the wire for clear (or at least easy to get at) passwords on the server.
Man that sucks and blows one of my arguments.
> : You can also go with imaps (SSL encrypted imap) or pop3s (SSL
> : encrypted pop3). I'm not sure about Eudora, but Netscape (all platforms),
> : OutLook (LookOut?) and Exchange all support one or both. On the Linux
> : end, Mutt has support for one of them and I did the SSL patches for Fetchmail
> : that are now in the main sources.
> Yes, I know of imaps, but there's not nearly enough support for it..
> Netscape Mail makes me wretch, and Lookout or Lookout Express make me
> wretch on multiple levels...
Support for it is not that bad and getting better. With other
export restrictions loosening up, I may be able to contribute to spreding
that one a little further. I would love to see any MUA which supports
imap or pop3 also support imaps and pop3s. And it's not that difficult!
If you're not fussy about certifying authorities and CRL's, it's really
pretty $#@$#@ easy to put the basic stuff in the code with the OpenSSL libs.
I agree about LookOut but I got people that love it (and give reason
why Sysadmins see bumper stickers that say "Users are Losers" and have no
idea that it's referring to drugs). I can keep them happy, keep my Linux
servers in place, keep some snoopy (and all TOO competant) security engineers
at bay, and the management is comfortable with the security. It's a good
deal. You can promote security and keep the lamers off yer ass at the same
time... They don't even realize they are "being secure" and that's the
best security!
> --
> Jason Costomiris <><
> Technologist, cryptogeek, human.
> jcostom {at} jasons {dot} org | http://www.jasons.org/
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
