Just how insecure is imap?
Howdy, I was just thinking about trying to setup a test imap server for the first time. I opened inetd.conf to un-comment the imap line and noticed this warning: # Attention: This service is very insecure Anyone care to explain this? TIA ---------------------------------------------------- Jonathan Wilson System Administrator Cedar Creek Software http://www.cedarcreeksoftware.com Central Texas IT http://www.centraltexasit.com
On Tuesday 19 June 2001 07:26 pm, Jonathan Wilson wrote:
Howdy,
I was just thinking about trying to setup a test imap server for the first time. I opened inetd.conf to un-comment the imap line and noticed this warning:
# Attention: This service is very insecure
Anyone care to explain this?
TIA
---------------------------------------------------- Jonathan Wilson System Administrator
Cedar Creek Software http://www.cedarcreeksoftware.com Central Texas IT http://www.centraltexasit.com
I asked the same question and all I got was "because it sends usernames/passwords in cleartext". The same can be said for telnet, ftp, and pop3, which are all in that same configuration file w/o the gratuitous warning. If anyone can expand on why imap is so insecure, please do. Thanks, -Steven
Steven Hatfield wrote:
I asked the same question and all I got was "because it sends usernames/passwords in cleartext". The same can be said for telnet, ftp, and pop3, which are all in that same configuration file w/o the gratuitous warning.
If anyone can expand on why imap is so insecure, please do.
Our IMAP server uses SSL, so there is no plaintext.
* Steven Hatfield
I asked the same question and all I got was "because it sends usernames/passwords in cleartext". The same can be said for telnet, ftp, and pop3, which are all in that same configuration file w/o the gratuitous warning.
If anyone can expand on why imap is so insecure, please do.
Because identification is sent in cleartext passwords over the network. -- Mads Martin Joergensen, http://mmj.dk "Why make things difficult, when it is possible to make them cryptic and totally illogic, with just a little bit more effort." -- A. P. J.
I'm not very familiar with imap, but as I understand the problem with it, basically, it works on server (with a semi-permanent connection), where pop3 is used like 'open connection, get mail, close connection'. When opened, an imap connection sends authentication packets multiple times, being nice for a packet sniffer to have a decent chance in grabbing them, whereas pop3 gives more of a random chance. By the way, you can run pop3 with many security features that disable cleartext passwords (like ssl, ssh-tunneling (only between unices), ...) You're right, especially telnet or rlogin etc are a serious security breach! Ive disabled telnet as much as possible and switched to OpenSSH. I hope this helps... Kind regards Guy
>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
On 20/06/2001, 04:01:01, Steven Hatfield
On Tuesday 19 June 2001 07:26 pm, Jonathan Wilson wrote:
Howdy,
I was just thinking about trying to setup a test imap server for the first time. I opened inetd.conf to un-comment the imap line and noticed this warning:
# Attention: This service is very insecure
Anyone care to explain this?
TIA
---------------------------------------------------- Jonathan Wilson System Administrator
Cedar Creek Software http://www.cedarcreeksoftware.com Central Texas IT http://www.centraltexasit.com
I asked the same question and all I got was "because it sends usernames/passwords in cleartext". The same can be said for telnet, ftp, and pop3, which are all in that same configuration file w/o the gratuitous warning.
If anyone can expand on why imap is so insecure, please do.
Thanks, -Steven
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On June 19, 2001 11:01 pm, Steven Hatfield wrote:
I asked the same question and all I got was "because it sends usernames/passwords in cleartext". The same can be said for telnet, ftp, and pop3, which are all in that same configuration file w/o the gratuitous warning.
If anyone can expand on why imap is so insecure, please do.
That is a big thing. Anybody can sniff out your username/password. This is, of course, doubly-bad due to the fact that IMAP will let you access files in your home directory. To experiment: - - Enable the IMAP line in inetd.conf - - Open Konqueror to imap://hostname - - Login when it asks - - All of the files in your home directory are there, happily base64 encoded, including private keys, etc. What I do: We pretty much banned insecure mail here. Most people used IMAP/SSL. I set up KMail to create automatically create ssh tunnels to the mailserver when I check/send mail and I set my mailserver to localhost:<port I set on localhost>. it's like having a VPN and not worrying ever again about sending mail (relaying) or being behind masq boxes. - -- James Oakley Engineering - SolutionInc Ltd. joakley@solutioninc.com http://www.solutioninc.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7MJ5i+FOexA3koIgRAjDeAKCL41hKh/2d3lMkTSriXStkzj6LKACfXOpo fH6zk7jCMFQppIdKwtBkKM8= =pUqs -----END PGP SIGNATURE-----
[Internal error while calling pgp, raw data follows]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On June 19, 2001 11:01 pm, Steven Hatfield wrote:
I asked the same question and all I got was "because it sends usernames/passwords in cleartext". The same can be said for telnet, ftp, and pop3, which are all in that same configuration file w/o the gratuitous warning.
If anyone can expand on why imap is so insecure, please do.
That is a big thing. Anybody can sniff out your username/password.
However, a sniffer must be on the same subnet, and if you have DSL/Cable you are vlan'ed out preventing any sniffing. Older dial-in ISP's that use the multi-modem boards are vulnerable to sniffing. I think the biggest security risk for IMAP and POP3 both are the brute force attack risks, which strong passwords can easily defend against.
This is, of course, doubly-bad due to the fact that IMAP will let you access files in your home directory.
To experiment:
- - Enable the IMAP line in inetd.conf
- - Open Konqueror to imap://hostname
- - Login when it asks
- - All of the files in your home directory are there, happily base64 encoded, including private keys, etc.
What I do:
We pretty much banned insecure mail here. Most people used IMAP/SSL. I set up KMail to create automatically create ssh tunnels to the mailserver when I check/send mail and I set my mailserver to localhost:<port I set on localhost>.
it's like having a VPN and not worrying ever again about sending mail (relaying) or being behind masq boxes.
- -- James Oakley Engineering - SolutionInc Ltd. joakley@solutioninc.com http://www.solutioninc.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (GNU/Linux) Comment: For info see http://www.gnupg.org
iD8DBQE7MJ5i+FOexA3koIgRAjDeAKCL41hKh/2d3lMkTSriXStkzj6LKACfXOpo fH6zk7jCMFQppIdKwtBkKM8= =pUqs -----END PGP SIGNATURE-----
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
[End of raw data]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On June 20, 2001 09:35 am, Just Another SuSE User wrote:
However, a sniffer must be on the same subnet, and if you have DSL/Cable you are vlan'ed out preventing any sniffing. Older dial-in ISP's that use the multi-modem boards are vulnerable to sniffing.
Yes, a sniffer must be on the same subnet, but real VLANs are rare. The processing power required to make 2048 VLANs (on an average cable subnet) is very high. The devices to do this are very expensive and VLANs are rare in these environments. The devices act more like switches. Try running ettercap sometime. This will let you sniff traffic on a switch, which is the same functionality as on your average CMTS. - -- James Oakley Engineering - SolutionInc Ltd. joakley@solutioninc.com http://www.solutioninc.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7ML85+FOexA3koIgRAuSkAKCGRqFpPTKf3/j5EcAtzVgV75QXzQCfS4jp gpIrYsjVfT2Yrx+lHK0O/3Y= =xRUm -----END PGP SIGNATURE-----
Wednesday, June 20, 2001, 2:00:11 PM, James Oakley wrote: JO> On June 19, 2001 11:01 pm, Steven Hatfield wrote:
I asked the same question and all I got was "because it sends usernames/passwords in cleartext". The same can be said for telnet, ftp, and pop3, which are all in that same configuration file w/o the gratuitous warning.
If anyone can expand on why imap is so insecure, please do.
JO> That is a big thing. Anybody can sniff out your username/password. JO> This is, of course, doubly-bad due to the fact that IMAP will let you access JO> files in your home directory. Sure, but the question still remains: Why is there the warning in inetd.conf about IMAP being insecure, but no warnings for telnet, ftp or pop3? ftp lets you access files in your home directory, and someone could do quite a bit of damage with telnet too. Olly
participants (8)
-
Guy Van Sanden -
James Oakley -
Just Another SuSE User -
Mads Martin Jørgensen -
Oliver Maunder -
Steven Hatfield -
Timothy Reaves -
wilson@claborn.net