[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: POP3 password in plaintext?

From: Stephen J. Turnbull
Subject: Re: POP3 password in plaintext?
Date: Fri, 03 Oct 2014 19:54:35 +0900

Ted Zlatanov writes:

 > SJT> No, I really do mean "password-read".  Mostly because not all
 > SJT> protocols demand authentication immediately on opening a stream.  Eg,
 > SJT> many sites can be accessed with HTTP, will switch to HTTPS without
 > SJT> authentication of the client, then present an HTML document for
 > SJT> login.
 > Clearly that's not possible, because the read password can be used at
 > any point by the Lisp code; it's just data from that point on.

Sure, but most of the sites I access work that way.  The TLS
connection is basically anonymous, and authentication is done over
that connection.  If the site presents a certificate, then you can be
pretty sure it's the right site to give your credentials to, and the
site is happy because it doesn't give you anything but a login screen
until you do give it your credentials, at which point you know the
site and the site knows you and you can do your business together.

 > Do you mean we should be able to send a password directly to a
 > network or process stream at the C level? That makes a lot of sense
 > to me and connects to the idea of "secret" data in the Emacs core.

No, I don't mean anything like that.  That may be the right idea, but
I haven't thought carefully about it.  I'm just telling you that we
can't depend on sites demanding authentication during the connection

reply via email to

[Prev in Thread] Current Thread [Next in Thread]