Another issue with email-related communication is password security. Many implementations of the POP3 and IMAP4 mail-retrieval protocols still require users to send their user name and password to the mail server in clear text (that is, not encoded, and in a form that can be easily observed by someone monitoring network traffic). Clear text passwords are a bad thing, particularly because they often allow access to resources beyond a POP3 server like an ISPs network, a UNIX host, a Windows user account, etc.
Microsofts answer to this was to create a Secure Password Authentication mechanism for POP3 connections to Exchange, which is best described as a version of the NT authentication process with a few enhancements. While it avoids clear text passwords, this solution seems to cause other security issues, at least when the Outlook Express client is used for an SPA connection.175. One way to get around the issue of sending your password in clear text is to forgo using a POP3 or IMAP4 client and instead use your ISP or email providers web mail connection to send and receive mail via SSL.
175. 3APA3A@security.nnov.ru, Outlook Express and SPA, http://www.security.nnov.ru/advisories/oespa.asp
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.