[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: how secure is mail and ftp and netscape/IE???

On Wed, Feb 21, 2001 at 03:13:43PM -0500, Steve Rudd wrote:
> 1. How secure is it checking email with eudora pro, given they have not yet 
> got ssh or any other system that is secure? Since outlook has ssh, is it 
> worth switching for that? I use a separate user and password for mail and ftp.

Normal POP/IMAP mail checking is completely vulnerable to sniffing.
However, I believe Eudora supports IMAP over SSL.  I don't actually
*use* Eudora, mind you, but I was told just the other day that it does.

> 2. Cute ftp is not secure yet, but should be soon.

There really isn't any standard secure FTP.  In the case of SSH, you've
got something that's available almost everywhere and has a well defined
protocol.  While there may be SSL enabled FTP server or clients, I don't
think there's any standard for interoperability.

> 3. Using netscape to port to private sections of the website:
> www.abc.com:1020/systemconfig/index.html
> (for example)
> I am asked for a user name and password via netscape/IE

You could always install an https server in place of the standard
unencrypted http server.  That's the only way to prevent your
username/password from being sent in plaintext.  Note that you'll
probably want to contact a certificate authority (CA) like Verisign or
Thawte and have them handle signing your certificate and stuff.
Otherwise people will get a nasty warning when accessing your https site
(at least, people using decent web browsers).

> Ok all these things are really transmitting my user name and password via 
> plain text with no encryption. If I have sudo installed and a sniffer comes 
> along, they have root access very easily!
> Should I be concerned about using email, ftp and IE ?

Yup.  Especially if you're sending a password that allows access to
sensitive stuff.  Basically, you should just not be doing it in
plaintext.  Secure replacements do exist for most services, and when
they do, you should use them.  When they don't, you should be careful to
set things up so that any usernames/passwords going over the network are
not going to allow access to sensitive data.


| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

Attachment: pgpagtksiKD0d.pgp
Description: PGP signature

Reply to: