[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: POP3 password in plaintext?

From: David Kastrup
Subject: Re: POP3 password in plaintext?
Date: Wed, 01 Oct 2014 15:15:19 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4.50 (gnu/linux)

Richard Stallman <address@hidden> writes:

> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
> [[[ whether defending the US Constitution against all enemies,     ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>     Transparent STARTTLS on demand would seem useless against
>     man-in-the-middle attacks.  It's just good against eavesdropping on
>     unintercepted traffic.  And you don't even need to be true
>     man-in-the-middle: you just need to be faster answering the STARTTLS
>     negotiation.
> Are other protocols for fetching mail better
> in security?
> David Caldwell <address@hidden> wrote:
>     Modern POP/IMAP clients tend to have a checkbox or a setting to require
>     SSL/TLS when connecting. If the protocol doesn't start TLS (and isn't
>     connected to an SSL port) then it is considered a connection error. This
>     setting is configured up-front, at the same time that the user
>     configures the server name and port. In this day and age it might make
>     sense to have such a checkbox default to "on".
> That makes sense -- if STARTTLS in POP3 is fundamentally adequate.
> But if Kastrup is right, that isn't so.

My bet is on Kastrup not being right.  But I'd be interested to know

David Kastrup

reply via email to

[Prev in Thread] Current Thread [Next in Thread]