Re: pop3/ssl

[Brian Stafford <brian stafford uklinux net>]

On Wed, 10 April 09:21 Steffen Klemer wrote:

>   >   > Well, its not the encrypt all the mail thing that
>   > matters to me, really. I dont send any sensitive data
>   > over email, much less non-pgp-encrypted ones! I really
>   > dont care if someone reads my email, it's not like I'm
>   > planning a revolt or anything, heh :) Its just that I
>   > sometimes have my laptop plugged in "hostile", so to
>   > speak, networks, and I'm not terribly confortable with
>   > sending my shell password (which happens to be the
>   > same as pop) in cleartext.
> 
> Ok, that's a real reason!

Another good reason for using SMTP+STARTTLS and POP3 over SSL/TLS is that 
encrypting the message protects only the message content.  Both SMTP and POP3 
may reveal potentially sensitive data to an eavesdropper even when 
transferring an encrypted message.  In the case of SMTP, the sensitive data is 
the reverse path and the recipient list and the initial set of message 
headers.  In POP3 the message headers might still reveal the recipient list.  
To assure complete security, SMTP+STARTTLS must be used on every hop and then 
POP3+SSL/TLS when the MUA downloads the messages.

> Has anybody a clue whether you can tunnel it with ssh or so?

This was discussed a while ago on the list, though it was in the context of 
SMTP.  There is a potential critical race when creating a tunnel that an 
attacker can exploit.  IIRC, no satisfactory conclusion was reached.

Brian