Skip site navigation (1)Skip section navigation (2) 
Date:      22 Jan 2001 03:45:22 -0500
From:      Arcady Genkin <antipode@thpoon.com>
To:        freebsd-questions@FreeBSD.ORG, cjclark@alum.mit.edu
Subject:   Re: imap and pop3 via stunnel (was: UW-IMAP server and secure authentication)
Message-ID:  <87lms42cwt.fsf@tea.thpoon.com>
In-Reply-To: <20010121201750.D10761@rfx-216-196-73-168.users.reflex>
References:  <87hf2s4hb7.fsf@tea.thpoon.com> <20010121154230.Z10761@rfx-216-196-73-168.users.reflex> <87g0ic4ax7.fsf_-_@tea.thpoon.com> <20010121201750.D10761@rfx-216-196-73-168.users.reflex>
next in thread | previous in thread | raw e-mail | index | archive | help 
"Crist J. Clark" <cjclark@reflexnet.net> writes:

> You are vulnerable to a man-in-the-middle attack the first time you
> connect. There is no way for your computer to know if the machine
> offering the cert at the other end is really who it claims to be. 

Oh, got it.  So the idea is exactly the same as with ssh.  If the only
danger of compromise is at first connect, I can live with it, I guess.

> > I just had a MS Outlook Express user confirm successful POP3 retrieval
> > over SSL.  I'm happy.  The only thing that's bothering me is your
> > phrase about distributing the certificate: I did not send the user
> > anything, he was just able to connect by changing mail server
> > configuration in his mailer.  Was the connection secure in this case?
> 
> Hmmm... Are you sure that he used SSL? I mean Outlook Express security
> leaves much to be desired, but it does not make noise if it gets a
> self-signed cert? Scary. An SSL session is secure with respect to
> sniffing since it is encrypted, but it would be vulnerable to the
> attack described above. If the user did get the real thing, they
> should be secure... as secure as OE will let them be, from now on.

I now had 3 MS OE users report no problem with switching to SSL.  (Two
of them only used pop3s.)  I asked them if OE complained about a
certificate, and it appears that it didn't.  All they had to do is put
a checkmark somewhere in Account Properties or smth like that.

OE did report a problem when I specified wrong server alias when
generating my certificate, though.

Christ, many thanks for your help!
-- 
Arcady Genkin
Don't read everything you believe.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87lms42cwt.fsf>