I also feel strongly about eliminating desktop modems in our environement.
I enabled plug-gw connections to both services. At this point, they are
still in the proof of concept stage, but work rather nicely. I believe our
users will be willing to give up modems for the tremendous increase in speed.
It also gives us better auditability in the event it is needed. I like
systems to be secure and auditable. I don't like to babysit.
The only valid concern mentioned is passwords being passed in cleartext.
Otherwise I see no objection to allowing these connections if there is a
valid business need.
I know that AOL passes them in cleartext. This is part of the response I
received from a tech support representative at AOL on July 28. Names have
been removed to protect the clueless:
> talked to my System Admin. guy at our site and he tells me that the
> passwords are not sent out encrypted. For what it is worth, he also tells
> me that while breaking open the TCP packets to get at passwords certainly
> is possible, it is harder than it sounds. Someone having physical control
> over one of the routers would have no problem, but for a hacker to install
> software via the net to stiff [sic] out passwords would be very difficult.
Truly sad. I personally would not take the risk mostly because AOL does not
provide me with a personally worthwhile service to justify any risk at all.
We will likely tell our users what the risk is and let them make the same
decision. We may be more strict with AOL accounts payed for by the
Corporation than accounts purchased by individual users. It hasn't been
discussed by management yet. I have *my* recommendations ready.
I somehow don't think AOL will respond to my very polite request to add
password encryption or we would convince all our users to switch to
Compuserve. ;-) Which leads into...
A representative from Compuserve claimed that their passwords ARE encrypted.
However, what does that mean and should they be believed? The password IS
encrypted in some way in the file where it is stored on the user's system. I
do not know if that is what is sent and is therefore subject to replay
attacks or such. I don't know how strong the encryption is or even what
algorithm(s) are used. The support rep couldn't find anybody who knew any of
that information. Well, part of it I can find on my own. Time to break out
the sniffer tomorrow.
Paul M. Cardon - System Officer
Capital Markets Systems - First Chicago NBD Corporation
com - (312) 732-7392
I never give them hell. I just tell the truth and they think it's hell.
- H. Truman
MD5 (/dev/null) = d41d8cd98f00b204e9800998ecf8427e