From owner-freebsd-questions Mon Jan 22 0:45:41 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.thpoon.com (cr103675-a.bloor1.on.wave.home.com [24.42.106.79]) by hub.freebsd.org (Postfix) with SMTP id 504CB37B401 for ; Mon, 22 Jan 2001 00:45:23 -0800 (PST) Received: (qmail 99552 invoked from network); 22 Jan 2001 08:45:22 -0000 Received: from unknown (HELO tea.thpoon.com) (mail@192.168.1.2) by cr103675-a.bloor1.on.wave.home.com with SMTP; 22 Jan 2001 08:45:22 -0000 Received: from antipode by tea.thpoon.com with local (Exim 3.12 #1 (Debian)) id 14KcbK-00058o-00; Mon, 22 Jan 2001 03:45:22 -0500 To: freebsd-questions@FreeBSD.ORG, cjclark@alum.mit.edu Subject: Re: imap and pop3 via stunnel (was: UW-IMAP server and secure authentication) References: <87hf2s4hb7.fsf@tea.thpoon.com> <20010121154230.Z10761@rfx-216-196-73-168.users.reflex> <87g0ic4ax7.fsf_-_@tea.thpoon.com> <20010121201750.D10761@rfx-216-196-73-168.users.reflex> From: Arcady Genkin X-Face: 0=A/O5-+sE[Tf%X>rYr?Y5LD4,:^'jaJ!4jC&UR*ZrrK2>^`g22Qeb]!:d;}2YJ|Hq"LHdF OX`jWX|AT-WVFQ(TPhFVak)0nt$aEdlOq=1~D,:\z5QlVOrZ2(H,mKg=Xr|'VlHA="r Organization: thpoon.com Mail-Copies-To: never Date: 22 Jan 2001 03:45:22 -0500 In-Reply-To: <20010121201750.D10761@rfx-216-196-73-168.users.reflex> Message-ID: <87lms42cwt.fsf@tea.thpoon.com> Lines: 34 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Channel Islands) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "Crist J. Clark" writes: > You are vulnerable to a man-in-the-middle attack the first time you > connect. There is no way for your computer to know if the machine > offering the cert at the other end is really who it claims to be. Oh, got it. So the idea is exactly the same as with ssh. If the only danger of compromise is at first connect, I can live with it, I guess. > > I just had a MS Outlook Express user confirm successful POP3 retrieval > > over SSL. I'm happy. The only thing that's bothering me is your > > phrase about distributing the certificate: I did not send the user > > anything, he was just able to connect by changing mail server > > configuration in his mailer. Was the connection secure in this case? > > Hmmm... Are you sure that he used SSL? I mean Outlook Express security > leaves much to be desired, but it does not make noise if it gets a > self-signed cert? Scary. An SSL session is secure with respect to > sniffing since it is encrypted, but it would be vulnerable to the > attack described above. If the user did get the real thing, they > should be secure... as secure as OE will let them be, from now on. I now had 3 MS OE users report no problem with switching to SSL. (Two of them only used pop3s.) I asked them if OE complained about a certificate, and it appears that it didn't. All they had to do is put a checkmark somewhere in Account Properties or smth like that. OE did report a problem when I specified wrong server alias when generating my certificate, though. Christ, many thanks for your help! -- Arcady Genkin Don't read everything you believe. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message