<div dir="ltr">On Fri, Apr 26, 2013 at 11:27 AM, Ron Frazier (ALE) <span dir="ltr"><<a href="mailto:atllinuxenthinfo@techstarship.com" target="_blank">atllinuxenthinfo@techstarship.com</a>></span> wrote:<br><div class="gmail_extra">
<div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"><br>
<br>
"Michael B. Trausch" <<a href="mailto:mbt@naunetcorp.com">mbt@naunetcorp.com</a>> wrote:<br>
<br>
>On 04/26/2013 12:50 PM, Ron Frazier (ALE) wrote:<br>
>> So, the question is this. I'm in a coffee shop. I engage the wifi.<br>
>Immediately, before I bring up my vpn, the email will poll its server<br>
>for mail. I know that the email will be encrypted once it's logged in.<br>
>But, I'm wondering if my login credentials are sent in the clear or<br>
>not. Is there a possibility that someone in the room could hijack my<br>
>credentials.<br>
>Only if "SSL always" means "SSL only after you've authenticated". Of<br>
>course, such a mechanism would be patently useless. :)<br>
><br>
</div>>More seriously, the answer is no---barring the normal methods one would<br>
<div class="im">>require to break the encryption, such as having the private key, it is<br>
>not going to be snooped.<br>
><br>
>As a side note, you could have confirmed this through an experiment,<br>
>which would have also had the effect of discovery of the information<br>
>you<br>
>sought aiding in your retention of it. Login to email with a packet<br>
>sniffer running and see what you see when you follow the resulting TCP<br>
>stream. Does it look like random noise? Can you find any of your<br>
>information or your information's patterns in the stream? Probably<br>
>not,<br>
>since SSL encryption is known to work. :)<br>
><br>
>Or, you could have hit Google and found that secure POP3 on port 995 is<br>
>always encrypted, while POP3 on standard port 110 is in the clear until<br>
>encryption parameters are negotiated, which occurs before user-level<br>
>authentication.<br>
><br>
</div>> --- Mike<br>
><br>
><br>
<br>
Hi Mike T,<br>
<br>
Thanks for the info. I had no easy way to execute a sniffer in the environment I was in since I had only the tablet with me. I have wireshark on my Windows machine at home, but at home, I'm always on wpa2. I've never figured out how to have one machine snoop on another in that scenario.<br>
<br>
What was bugging me is that the email client has two parameter settings. There is the security option, which is set to SSL always. Then there is the authentication option.<br>
<br>
For the pop server on port 995, the authentication options are:<br>
<br>
- plain (this is selected)<br>
- cram-md5<br>
<br>
For the smtp server on port 465, the authentication options are:<br>
<br>
- automatic<br>
- login (this is selected)<br>
- plain<br>
- cram-md5<br>
<br>
On Eudora, the options are somewhat different. Security is set to ssl/tls. Then, there is a checkbox that simply says use secure authentication. That check box is off for both pop and smtp. Port numbers are the same as above.<br>
<br>
So, the way the menus are presented made me wonder if the login sequence is not secure. I've tried turning the secure authentication checkbox on in Eudora, but the email fails to work then. I haven't tried all the other options on the k9 program. I have also tried googling around some in the past to figure out what all this means and how and why it should be set a certain way, but haven't had success.<br>
<br>
So, if the email is, in fact, fully secure at all times, whether I'm running a vpn or not, then that's good to know.<br>
<div class="HOEnZb"><div class="h5"><br>
Sincerely,<br>
<br>
Ron<br></div></div></blockquote><div><br></div><div style>"Secure authentication" is the choice of authentication mechanisms that do not expose plaintext credentials even over an unencrypted channel. CRAM-MD5 is the "commonly" supported choice there.</div>
<div style><br></div><div style>One note about CRAM-MD5 is that it requires the server store plaintext passwords... so CRAM-MD5 was at a time (maybe we're still there for some providers) where transport security was a bigger deal than storage security. </div>
</div><br clear="all"><div><br></div>-- <br>David Tomaschik<br>OpenPGP: 0x5DEA789B<br><a href="http://systemoverlord.com" target="_blank">http://systemoverlord.com</a><br><a href="mailto:david@systemoverlord.com" target="_blank">david@systemoverlord.com</a>
</div></div>