September 28th, 2002, 06:27 PM
POP3S vs. POP3...
I've been trying to get POP3S working on my RH7.2 box, and I can get to work, but not without it popping up a window re: the cert not being trusted, etc... And w/ Eudora, it won't work at all with the certificate, even if I add it to my trusted certs...
So, my question is: How big of a security hole is it if I just run POP3??? All users who will be getting mail, and therefore sending clear-text passwords, will be users with pretty much no access other than mail (i.e. /bin/false)... Is it possible that someone with just a mail user's ID and PW could escalate that ID beyond it's current low-access settings??? Or someone who sniffed that ID/PW as it was sent???
October 1st, 2002, 03:33 PM
I would think the biggest concern would be for your user's privacy, and not necessarily for your system's integrity. If passwords are being sent clear-text, many of your users might object to some unscrupulous type reading their email -- email that could potentially contain credit card numbers (geez, I hope not), personal information, confidential communiques, and other information not meant for the general public. I think a good rule of thumb is: do your best to protect your users whenever possible, and when it's not possible, inform them of the potential for their communication to be compromised.
/* You are not expected to understand this. */
October 1st, 2002, 03:57 PM
I don't think you should give up one the PKI/Certificates. PKI is growing as we speak and is going to be a standard for securing environments/transmissions. PKI rocks!