[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: POP3 password in plaintext?

From: Ted Zlatanov
Subject: Re: POP3 password in plaintext?
Date: Thu, 02 Oct 2014 13:04:15 -0400
User-agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/24.4.50 (darwin)

On Thu, 02 Oct 2014 10:58:10 +0900 "Stephen J. Turnbull" <address@hidden> 

SJT> Ted Zlatanov writes:
>> I think you mean `open-network-stream'?

SJT> No, I really do mean "password-read".  Mostly because not all
SJT> protocols demand authentication immediately on opening a stream.  Eg,
SJT> many sites can be accessed with HTTP, will switch to HTTPS without
SJT> authentication of the client, then present an HTML document for
SJT> login.

Clearly that's not possible, because the read password can be used at
any point by the Lisp code; it's just data from that point on. Do you
mean we should be able to send a password directly to a network or
process stream at the C level? That makes a lot of sense to me and
connects to the idea of "secret" data in the Emacs core.

SJT> I think the self-signed cert manager should default to one-time-only
SJT> or a short local expiration (1 hour? 1 day?) even if the cert is
SJT> long-lived.  Self-signature means that the server doesn't care to
SJT> devote much financial resources to security (which may be correlated
SJT> with carelessness concerning other security resources), and it's quite
SJT> possible that some of those will be evil sites, recognized as such by
SJT> user intuition, and I'd prefer to be warned about them on a second
SJT> approach.

That should be a user choice so yes it sounds reasonable, but no I don't
think it should be the default.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]