-----BEGIN PGP SIGNED MESSAGE-----
Dave Dittrich wrote:
>
> > Date: Mon, 4 Aug 1997 08:34:47 -0700 (PDT)
> > From: Alan <alan @
ctrl-alt-del .
com>
> > Subject: Re: Web Oriented Mail Clients
> >
> > On Sat, 2 Aug 1997 Dick_Wall @
stratus .
com wrote:
> >
> > > The question is ...
> > >
> > > I'm getting approached by various groups in my company, that want to
> > > use Web oriented email clients, to access our email servers. That is,
> > > they want to use the clients from the Internet points, to access servers
> > > on the trusted/internal side of our network. They'd like us therefore,
> > > to allow http access through the firewall. We don't allow that now, and
> > > I don't plan to allow it in the future.
> > >
> > > Is there a secure means for providing such email access?
>
> The question is not is the http access secure, but is the *service*
> itself secure. My answer is NO! Hell, NO!!!
>
> Take a look at Hotmail's new service:
>
> http://www.hotmail.com/faq.html#q08
>
> Hotmail now allows you to use their web form to GIVE THEM YOUR POP
> PASSWORD (which is usually the same as your login password) which they
> STORE on their site (and I certainly don't trust them to be very much
> concerned with security over profit). Then, when you want to get your
> email through their site, your password travels, IN THE CLEAR, from
> their network to your site's POP server to retrieve your email. You
> may have a (relatively) secure network and can trust POP between your
> clients and servers, but this exposes your password to an entirely
> larger number of subnets, masked behind HTTP.
>
[more deleted]
Good points, but I think this misses the point of the question, which
seems to be based on a misunderstanding of how clients such as Hotmail
work.
To allow these clients to be used to retrieve email from a POP server on
an internal network, POP2/POP3, not HTTP, need to be allowed
through the firewall. This is generally not a good idea because these
protocols do not transmit passwords in a secure way. (Even the APOP
command, which uses a challenge-response method of user authentication,
is vulnerable to a dictionary attack unless the password is well chosen.)
If you do allow POP through your firewall (say to allow users to get
their email from home via their own ISPs using a client like Eudora),
you can't really prevent them from using a service like Hotmail (with
all the additional exposures Dave points out). Blocking incoming HTTP
at the firewall won't do it. Blocking outgoing HTTP would prevent
users inside the firewall from using these services, but that's
probably not what you're trying to do.
The bottom line is still the same, which is that there's no secure
way to let users use these clients.
- --
Bob Dedrick (dedrick @
ans .
net)
ANS Communications, Elmsford, NY US
Tel. +1 (914) 789-5345
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBM+siwxisghoX8gdFAQEvDgP8DZXerVSbx1acN9T3bujTtVtGWwYRKV/u
eHJYB7eLbN/zTKCZi1T7A3c7YsbIb0m7k7hp4XfMGM47xEtLWofGoj+2k4OKqEMj
c36zl8Wx4wbt8P4/s4lKiquSf22P7177Tmvdmu3KqrurhdaLtX1YJW89cKx+NQI8
XTB+rUH2L6U=
=9rXB
-----END PGP SIGNATURE-----
References:
|
|
