[Imap-uw] How to read mail without ssl
MRC at CAC.Washington.EDU
Thu Apr 19 09:39:16 PDT 2007
On Thu, 19 Apr 2007, Mark Sirota wrote:
> --On 2007-04-18 6:03 PM -0700 Mark Crispin <MRC at cac.washington.edu> wrote:
>> Note, however, that it is a VERY BAD idea to allow non-SSL logins; doing
>> so is an open invitation to hackers to sniff your system's passwords and
>> crack your system.
> Unless you use GSSAPI, and only GSSAPI, in which case there are no passwords
> to sniff.
No, you just leave an open invitation to hackers to hijack the GSSAPI
authenticated session. It is absolutely trivial to hijack a session that
is not protected via SSL or TLS.
-- Mark --
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.
More information about the Imap-uw