Re: POP3 password in plaintext?

[David Kastrup]

"Stephen J. Turnbull" <address@hidden> writes:

> Richard Stallman writes:
>
>  > These points seem to conflict.  First, there is no protection.
>  > Second, there is protection: use TLS for this communication.
>
> Not at all.  If the server provides TLS, there is protection, and both
> modern servers and Emacs (at least Gnus and probably RMail according
> to larsi, but I don't think VM does) are able to use STARTTLS to
> convert an unencrypted channel to an encrypted one, *before* the
> password is sent.

Transparent STARTTLS on demand would seem useless against
man-in-the-middle attacks.  It's just good against eavesdropping on
unintercepted traffic.  And you don't even need to be true
man-in-the-middle: you just need to be faster answering the STARTTLS
negotiation.

-- 
David Kastrup