Get this Security+ CertiGuide for your own computer.
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 2:  Communication Security (Domain 2.0; 20%)
      9  2.2  Email
           9  2.2.3  Vulnerabilities

Previous Topic/Section
Message Forgery
Previous Page
Pages in Current Topic/Section
1
Next Page
Client-Side Issues
Next Topic/Section

Password Security

Another issue with email-related communication is password security. Many implementations of the POP3 and IMAP4 mail-retrieval protocols still require users to send their user name and password to the mail server in clear text (that is, not encoded, and in a form that can be easily observed by someone monitoring network traffic). Clear text passwords are a bad thing, particularly because they often allow access to resources beyond a POP3 server – like an ISP’s network, a UNIX host, a Windows user account, etc.

Microsoft’s answer to this was to create a “Secure Password Authentication” mechanism for POP3 connections to Exchange, which is best described as a version of the NT authentication process with a few enhancements. While it avoids clear text passwords, this “solution” seems to cause other security issues, at least when the Outlook Express client is used for an SPA connection.175. One way to get around the issue of sending your password in clear text is to forgo using a POP3 or IMAP4 client and instead use your ISP or email provider’s “web mail” connection to send and receive mail via SSL.


 __________________

175. 3APA3A@security.nnov.ru, “Outlook Express and SPA,” http://www.security.nnov.ru/advisories/oespa.asp

Previous Topic/Section
Message Forgery
Previous Page
Pages in Current Topic/Section
1
Next Page
Client-Side Issues
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.