Firewalls: Re: Web Oriented Mail Clients

Firewalls
(August 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Web Oriented Mail Clients
From:	Dave Dittrich <dittrich @ cac . washington . edu>
Date:	Thu, 7 Aug 1997 16:14:07 -0700 (PDT)
To:	Firewalls @ GreatCircle . COM
In-reply-to:	<199708050443 . VAA08447 @ honor . greatcircle . com>

> Date: Mon, 4 Aug 1997 08:34:47 -0700 (PDT)
> From: Alan <alan @
 ctrl-alt-del .
 com>
> Subject: Re: Web Oriented Mail Clients
> 
> On Sat, 2 Aug 1997 Dick_Wall @
 stratus .
 com wrote:
> 
> >   The question is ...
> > 
> >   I'm getting approached by various groups in my company, that want to
> > use Web oriented email clients, to access our email servers.  That is,
> > they want to use the clients from the Internet points, to access servers
> > on the trusted/internal side of our network.  They'd like us therefore,
> > to allow http access through the firewall.  We don't allow that now, and
> > I don't plan to allow it in the future.
> > 
> >   Is there a secure means for providing such email access?

The question is not is the http access secure, but is the *service*
itself secure.  My answer is NO! Hell, NO!!!

Take a look at Hotmail's new service:

	http://www.hotmail.com/faq.html#q08

Hotmail now allows you to use their web form to GIVE THEM YOUR POP
PASSWORD (which is usually the same as your login password) which they
STORE on their site (and I certainly don't trust them to be very much
concerned with security over profit).  Then, when you want to get your
email through their site, your password travels, IN THE CLEAR, from
their network to your site's POP server to retrieve your email.  You
may have a (relatively) secure network and can trust POP between your
clients and servers, but this exposes your password to an entirely
larger number of subnets, masked behind HTTP.

Not a very good idea, if you ask me.  Who needs to install sniffers
when you just need to break into hotmail.com and steal passwords from
a potential 5,000,000+ (by their own claims) users?

So how the hell do I get that message out to a potential 80,000+ users
who may try to use Hotmail to get "free" email accounts?

If you ask me, this is a very bad idea.

--
Dave Dittrich                 Client Services
dittrich @
 cac .
 washington .
 edu   Computing & Communications
                              University of Washington

<a href="http://www.washington.edu/People/dad/";>
Dave Dittrich / dittrich @
 cac .
 washington .
 edu</a>

Follow-Ups:

Re: Web Oriented Mail Clients
From: Bob Dedrick <dedrick @ ans . net>

Indexed By Date	Previous:	Re: Firewall-1, Static Address Translation problem [2] From: "John DIas" <johndias @ inreach . com>
Indexed By Date	Next:	RE: PPTP & FW-1 From: Russ <Russ . Cooper @ RC . on . ca>
Indexed By Thread	Previous:	Re: Web Oriented Mail Clients From: Alan Goldberg <agoldber @ istar . ca>
Indexed By Thread	Next:	Re: Web Oriented Mail Clients From: Bob Dedrick <dedrick @ ans . net>