[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: POP3 password in plaintext?
From: |
Richard Stallman |
Subject: |
Re: POP3 password in plaintext? |
Date: |
Wed, 01 Oct 2014 08:54:03 -0400 |
[[[ To any NSA and FBI agents reading my email: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
Transparent STARTTLS on demand would seem useless against
man-in-the-middle attacks. It's just good against eavesdropping on
unintercepted traffic. And you don't even need to be true
man-in-the-middle: you just need to be faster answering the STARTTLS
negotiation.
Are other protocols for fetching mail better
in security?
David Caldwell <address@hidden> wrote:
Modern POP/IMAP clients tend to have a checkbox or a setting to require
SSL/TLS when connecting. If the protocol doesn't start TLS (and isn't
connected to an SSL port) then it is considered a connection error. This
setting is configured up-front, at the same time that the user
configures the server name and port. In this day and age it might make
sense to have such a checkbox default to "on".
That makes sense -- if STARTTLS in POP3 is fundamentally adequate.
But if Kastrup is right, that isn't so.
--
Dr Richard Stallman
President, Free Software Foundation
51 Franklin St
Boston MA 02110
USA
www.fsf.org www.gnu.org
Skype: No way! That's nonfree (freedom-denying) software.
Use Ekiga or an ordinary phone call.