BugTraq
APOP vulnerability Apr 02 2007 03:13PM
gaetan leurent ens fr (GaŽtan LEURENT) (1 replies)
Re: APOP vulnerability Apr 03 2007 08:22AM
3APA3A (3APA3A SECURITY NNOV RU) (1 replies)
Re: APOP vulnerability Apr 03 2007 04:18PM
gaetan leurent ens fr (Gaëtan LEURENT) (1 replies)
Re[2]: APOP vulnerability Apr 03 2007 04:50PM
3APA3A (3APA3A SECURITY NNOV RU)
Dear Gaëtan LEURENT,

--Tuesday, April 3, 2007, 8:18:04 PM, you wrote to 3APA3A (at) security.nnov (dot) ru [email concealed]:

GL> I meant practical in the sense that it does work in practice (it's not
GL> an attack needing 2^80 computations or something like that), but I don't
GL> know what are the practical implications of the attack :-)
GL> (to begin with, I don't know if many people are using APOP).

A number of POP3 servers support APOP, but most of them require some
special configuration. And it seems like Mozilla attempts to use APOP if
APOP banner is present in server reply and no secure protocol is
configured. So yes, it's used, but mostly as an alternative to
cleartext. Based on last 115000 sessions statistics for ISP's mail
server with CRAM-MD5, APOP and NTLM support, ~7000 mailboxes:

Cleartext: 96,3%
APOP: 2,1%
CRAM-MD5: 1%
NTLM: 0.6%

--
~/ZARAZA http://securityvulns.com/

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus