[OT] Secure connection to email servers?
Joerg Sonnenberger
joerg at britannica.bec.de
Sat Oct 8 17:05:38 PDT 2005
On Sat, Oct 08, 2005 at 04:17:36PM -0700, walt wrote:
> Background: I have free email accounts with myrealbox.com
> and gmail.com. Both organizations provide TLS connection
> to outgoing (SMTP) servers, and SSL connection to incoming
> (POP/IMAP) servers.
>
> My questions:
>
> 1. Why use two different protocols instead of one?
TLS is effectively SSLv3, but without the name from Netscape.
> 2. Does the use of secure connections make the 'secure
> authentication' protocol irrelevant? (I notice that
> my password never appears in the clear in either
> direction, even though I don't use 'secure auth'.)
Depends. You have two kinds of authentication mechanisms: clear text
transmission and hash transmission. Both have advantages and
disadvantages, e.g. for clear text transmission you normally don't have
to store the password itself in clear text (but can use something like
the md5 hash). For the hash transmission, the server has to store the
password unencrypted, but the protocol itself is more resilient to
replay attacks.
Joerg
More information about the Users
mailing list