<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>On Apr 26, 2013, at 2:27 PM, "Ron Frazier (ALE)" <<a href="mailto:atllinuxenthinfo@techstarship.com">atllinuxenthinfo@techstarship.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; display: inline !important; float: none; ">For the pop server on port 995, the authentication options are:</span><br style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><br style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><span style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; display: inline !important; float: none; ">- plain (this is selected)</span><br style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><span style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; display: inline !important; float: none; ">- cram-md5</span><br style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "></blockquote></div><br><div>This is where an understanding of the underlying protocols, and security in general, would be helpful.</div><div><br></div><div>Services which communicate via SSL do so through a virtualized network connection, tunneled through the SSL libraries at either end. The SSL libraries can communicate directly with the operating system socket implementation, or they can operate using memory buffers; either way, all plaintext communication enters the tunnel on one side, and is extracted on the other as plaintext.</div><div><br></div><div>STARTTLS, which is a common extension to plaintext services such as POP3, SMTP and IMAP running on their standard ports, is a mechanism that allows servers to negotiate a secure connection, but not open a connection in a secure mode by default. Often services that are running on such ports today disallow anything but security negotiation on that port, and only allow authentication after the connection has been made secure. This usually involves the client sending a signal to the server telling it that it wishes to begin secure communications, by issuing a STARTTLS command, and then the server replies in the affirmative and both ends switch to communicating through their respective SSL library interfaces for the duration of the connection.</div><div><br></div><div>"Plain" authentication is very frequently the only option that SSL-enabled systems provide. In fact, servers that <i>only</i> understand the plain authentication mechanism will typically disable authentication entirely over insecure channels as more-or-less described above, effectively eliminating insecure plaintext authentication over the public Internet. Other options may be supported by the server, but that varies on a server-by-server basis. The <b>only</b> mechanism that is required on both sides is "plain" authentication, per the standards.</div><div><br></div><div>So, yes, you're sending plaintext authentication credentials <i>to the server you are talking to</i>, but because SSL provides both confidentiality and connection integrity, that means that it <i>is not plaintext when on the wire</i>. And for these purposes, that's the key distinction.</div><div><br></div><div>Personally, I am a fan of Kerberos, because the password is <i>never</i> revealed <b>during authentication</b> over the network. The original password is sent in an encrypted form over the network exactly <i>once</i>, and that is during the password change process. After that, the server keeps a copy of the encrypted password, and the protocol makes it possible to verify the shared-secret (password/passphrase) credentials without actually passing them across the network. Now <i>that</i> is a secure authentication process---even if session communications are compromised, the user's credentials are not. :-)</div></body></html>