Demon WebMail Service
Terry Simpson
ability to reply and to sort by date. I have the following suggestions:
1. I am not sure what the 'Check to view mail for all users does'. If you
leave the username blank, it appears to do this anyway. Does it have another
function?
2. It would be nice if the result list was started further up the screen.
3. 'Sort mail by' is a truly welcome feature. It could be implemented more
directly for the user by clicking on column headings. You could use
forward/reverse direction arrows (ala MS Windows Explorer, MS Outlook). It
would also be nice to have the selected sort column highlighted. The drop
down list box could then be removed.
4. The date in the result list is in European format. For those of us who
keep switching between US and European formats, it is difficult to remember
which interface uses which format. A solution would be to show months as 3
letter text: 'mmm'.
5. It would also be nice to have day of the week 'ddd'. This can be very
useful in email.
6. It would also be nice to have the time of day. If you used the sequence
(but not the entire specification) of ISO8601, you could then have 'yy mmm d
ddd hh:mm'.
6. The centre alignment takes a little getting used to. Would you consider
left alignment?
7. 'Next' is to the right of 'Previous' which is not contiguous with
sequences starting at the left and increasing to the right. Would you
consider putting 'Next to the left of 'Previous'?
Anyway, all comments meant to help. Congratulations on this new service.
James Coupe
Simpson <ne...@connected-systems.com> writes:
>I am delighted with the new Demon Webmail service particularly with the
>ability to reply and to sort by date. I have the following suggestions:
>
>1. I am not sure what the 'Check to view mail for all users does'. If you
>leave the username blank, it appears to do this anyway. Does it have another
>function?
Probably to provide an obvious way to do this for the inexperienced?
--
James Coupe Oh, the poor folks hate the rich folks,
PGP 0x5D623D5D And the rich folks hate the poor folks.
EBD690ECD7A1FB457CA2 All of my folks hate all of your folks,
13D7E668C3695D623D5D It's American as apple pie.
ch...@metric.org.uk
<ne...@connected-systems.com> wrote:
>I am delighted with the new Demon Webmail service particularly with the
>ability to reply and to sort by date. I have the following suggestions:
>
>1. I am not sure what the 'Check to view mail for all users does'. If you
>leave the username blank, it appears to do this anyway. Does it have another
>function?
>
>2. It would be nice if the result list was started further up the screen.
>
>3. 'Sort mail by' is a truly welcome feature. It could be implemented more
>directly for the user by clicking on column headings. You could use
>forward/reverse direction arrows (ala MS Windows Explorer, MS Outlook). It
>would also be nice to have the selected sort column highlighted. The drop
>down list box could then be removed.
>
>4. The date in the result list is in European format. For those of us who
>keep switching between US and European formats, it is difficult to remember
>which interface uses which format. A solution would be to show months as 3
>letter text: 'mmm'.
>
>5. It would also be nice to have day of the week 'ddd'. This can be very
>useful in email.
>
>6. It would also be nice to have the time of day. If you used the sequence
>(but not the entire specification) of ISO8601, you could then have 'yy mmm d
>ddd hh:mm'.
Amen. Would resolve 4. as well.
Chris
--
UK Metric Association: http://www.metric.org.uk/
Will Dean
news:1015957734.25134....@news.demon.co.uk...
>
> 1. I am not sure what the 'Check to view mail for all users does'. If you
> leave the username blank, it appears to do this anyway. Does it have
another
> function?
Isn't it that you need to put in a username if you're going to reply, so you
then need the checkbox to see all the mail?
My would-be-nice is that you don't seem to be able to use the back button to
get from a message back to the inbox.
But it's _great_ to have write access at last...
Will
John Underwood
(Reference: <1015957734.25134....@news.demon.co.uk>)
>Anyway, all comments meant to help. Congratulations on this new
>service.
You forgot to mention the really great advantage which, by a very long
way, makes the new webmail service outstanding in my consciousness.
Now anyone who gets hold of your POP3 password can send mail in your
name. Of course this has always been possible with other ISPs, now Demon
has removed that final barrier which allow people to criticise it for
not being like the rest.
Please note that any mail appearing to be from me which uses my demon
hostname is a forgery.
--
John Underwood
Use the Reply To: address for the next 30 days
After that write to jo...@the-underwoods.org.uk
Do not send anything to the From: address
John Underwood
(Reference: <1015967972.15162....@news.demon.co.uk>)
>But it's _great_ to have write access at last...
Yes, and so many people can use it too. Have you taken account of the
need for greater vigilance than before over the potential misuse of your
POP3 password? For example, is recorded into your office system so that
you can collect private mail? Now you will need to remove it unless it
is under your control - which means you probably won't be able to
receive mail that way. Of course you don't need to, you've got webmail.
Bully for you, it doesn't meet my needs and has stopped me using the
methods that do either with the same ease or, in some cases, at all.
Web mail is available elsewhere, what Demon have just destroyed isn't.
Anthony
<ab...@the-underwoods.org.uk> wrote:
>
>Now anyone who gets hold of your POP3 password can send mail in your
>name. Of course this has always been possible with other ISPs, now Demon
>has removed that final barrier which allow people to criticise it for
>not being like the rest.
>
>Please note that any mail appearing to be from me which uses my demon
>hostname is a forgery.
People have always been able to send mail in any Demon subscriber's
name, providing they have the technical knowledge to do so, which is
why so many Demon customers have been affected by the spate of forged
UBE and resultant bounce messages.
Having just checked, one thing this new tool does is append false rDNS
information to the true IP address one uses to connect to the webmail
interface. It is an interesting aspect of the service, since I
suspect some ISPs' abuse desks may interpret that as header forgery.
--
Anthony
ant...@catfish.demon.co.uk
Will Dean
news:9NAOQtIK...@MID.the-underwoods.org.uk...
>
> Yes, and so many people can use it too.
I don't understand that.
> Have you taken account of the
> need for greater vigilance than before over the potential misuse of your
> POP3 password?
What, now people can send mail on my behalf? When before they needed a
different password to do that.
> For example, is recorded into your office system so that
> you can collect private mail? Now you will need to remove it unless it
> is under your control - which means you probably won't be able to
None of that makes a jot of sense to me. There must be a word missing from
the first sentence?
> receive mail that way. Of course you don't need to, you've got webmail.
> Bully for you, it doesn't meet my needs and has stopped me using the
> methods that do either with the same ease or, in some cases, at all.
I really don't follow any of this. What method did you used to use that's
now not available?
> Web mail is available elsewhere, what Demon have just destroyed isn't.
I'm completely lost. Is this just a high-octane HTML purity rant?
Will
Denis Mcmahon
>I am delighted with the new Demon Webmail service particularly with the
>ability to reply and to sort by date. I have the following suggestions:
>
>1. I am not sure what the 'Check to view mail for all users does'. If you
>leave the username blank, it appears to do this anyway. Does it have another
>function?
If you leave the username blank, any compositions or replies are sent
"from: postm...@host.dcu"
If you put a name in and check the box, you still see all mail, but
anything you send is "from: <name>@host.dcu"
Rgds
Denis
--
Denis McMahon / +44 7802 468949 / de...@pickaxe.demon.co.uk
Top-posters, posters of adverts & binaries are scum. Killfile!
Block [a.b.*.*] of any UC/BE relay. Posts > 100 lines ignored.
sulfnbk is not a virus, see the symantec virus encyclopaedia!
John Underwood
(Reference: <l60t8uc33upe4da64...@4ax.com>)
>People have always been able to send mail in any Demon subscriber's
>name, providing they have the technical knowledge to do so, which is
>why so many Demon customers have been affected by the spate of forged
>UBE and resultant bounce messages.
And anyone who knows what they are doing can see instantly that the
messages to which you refer are forgeries. I am talking here about
people sending out email in my name from my account and from a Demon
machine. Nobody has been able to do that before without knowledge of the
dial up password. Now they can with the POP3 password.
For years we have been told that the two passwords are needed because
the POP3 password is not sufficiently secure. Now we have the insecurity
thrust upon us. All I ask is the ability to turn the webmail sending
off. Otherwise I compromise my security in this respect by posting from
another host.
Meanwhile, I will never miss the opportunity to say that any message
sent under my Demon host is a forgery. I will not use it for any
outgoing mail.
John Underwood
(Reference: <1015975173.19526....@news.demon.co.uk>)
>"John Underwood" <ab...@the-underwoods.org.uk> wrote in message
>news:9NAOQtIK...@MID.the-underwoods.org.uk...
>>
>> Yes, and so many people can use it too.
>
>I don't understand that.
>
Anyone who obtains your POP3 password can send mail in your name by
logging in to the web mail system.
>> Have you taken account of the
>> need for greater vigilance than before over the potential misuse of your
>> POP3 password?
>
>What, now people can send mail on my behalf? When before they needed a
>different password to do that.
You needed a different password to access POP3 in order to read mail by
POP3 from a different system than Demon or to access your web mail.
The different password was required because the POP3 password is sent in
plain text across the Internet and, therefore, is vulnerable. Previously
you could only send mail using your login password which is sent
straight to the Demon system. Now anyone with your POP3 password can
send mail from your web mail service.
>
>> For example, is recorded into your office system so that
>> you can collect private mail? Now you will need to remove it unless it
>> is under your control - which means you probably won't be able to
>
>None of that makes a jot of sense to me. There must be a word missing from
>the first sentence?
It is as I meant. If you want your mail to be secure, you must not leave
your POP3 password anywhere where someone other than yourself can see
it. In the past it was probably safe to leave it on an office system
(i.e. where you work) since the worst that could happen would be people
read your mail. Now they can send mail on your behalf.
>
>> receive mail that way. Of course you don't need to, you've got webmail.
>> Bully for you, it doesn't meet my needs and has stopped me using the
>> methods that do either with the same ease or, in some cases, at all.
>
I mean that if you adopt the new enforced security, you will lose the
flexibility you used to have, perhaps not being able to use POP3 from
other systems than your own.
>I really don't follow any of this. What method did you used to use that's
>now not available?
>
I dare not use my POP3 passwords where it may be discovered.
That is a restriction on what I have been doing and unnecessary. If I
were allowed to disable web mail sending there would be no problem, but
is a compulsory part of the Demon "service" even though I don't want it
- and want its side-effects even less.
>> Web mail is available elsewhere, what Demon have just destroyed isn't.
>
>I'm completely lost. Is this just a high-octane HTML purity rant?
>
Well don't worry about it, I am concerned about my security, you
obviously aren't. I am, however concerned about yours, even if you can't
understand that you have a problem. And yes, you do have a problem and
you think it is a good idea.
ric...@startide.demon.co.uk
> On Tue, 12 Mar 2002 at 22:33:51, Anthony wrote in demon.service
> (Reference: <l60t8uc33upe4da64...@4ax.com>)
>
>
> For years we have been told that the two passwords are needed because
> the POP3 password is not sufficiently secure. Now we have the insecurity
> thrust upon us. All I ask is the ability to turn the webmail sending
> off. Otherwise I compromise my security in this respect by posting from
> another host.
Given that your POP3 password is transmitted over a 128-bit SSL encrypted
connection, why do you consider it insecure ? (Of course if you're using
the un-encrypted version then you have only yourself to blame).
--
I think I'm paranoid and complicated. I think I'm paranoid, manipulated
Richard Lavey : richard(a)startide(d)demon(d)co(d)uk
Will Dean
>
> You needed a different password to access POP3 in order to read mail by
> POP3 from a different system than Demon or to access your web mail.
>
> The different password was required because the POP3 password is sent in
> plain text across the Internet and, therefore, is vulnerable.
Not if you're using the webmail website, it isn't.
>
> It is as I meant.
> >>For example, is recorded into your office system so that
> >> you can collect private mail?
Really?
> If you want your mail to be secure, you must not leave
> your POP3 password anywhere where someone other than yourself can see
> it. In the past it was probably safe to leave it on an office system
> (i.e. where you work) since the worst that could happen would be people
> read your mail. Now they can send mail on your behalf.
Well, if there are people uninvited in the place where I work, they'll be
receiving the thick end of a baseball bat around their head. If they feel
like summoning aid via email, then I shall be surprised.
> I mean that if you adopt the new enforced security, you will lose the
> flexibility you used to have, perhaps not being able to use POP3 from
> other systems than your own.
Why do you suppose that everyone considers that being able forge (slightly
more accurately than they could before) outgoing mail is a vastly worse
problem than being able to read incoming mail?
> I dare not use my POP3 passwords where it may be discovered.
So, you consider that there's always been a serious risk of your POP3
password being discovered, but you never minded people reading your incoming
mail.
> That is a restriction on what I have been doing and unnecessary. If I
> were allowed to disable web mail sending there would be no problem, but
> is a compulsory part of the Demon "service" even though I don't want it
> - and want its side-effects even less.
Well, maybe there's a case for a 'disable webmail sending' button on the
webpassword site, but I'd have thought such strongly asymmetric paranoia is
unusual.
> Well don't worry about it, I am concerned about my security, you
> obviously aren't.
You're quite right, I'm not at all concerned about your security.
> I am, however concerned about yours, even if you can't
> understand that you have a problem. And yes, you do have a problem and
> you think it is a good idea.
I don't have a problem. My POP3 password has never been exposed, and I
don't consider that the new risk of slightly improved forgery in my name is
realistic.
I think if I used email for things where I considered the hazards arising
from forgery were very serious, I would use some better method of
signing/repudiation than was ever offered by Demon's mail system.
Will
John Underwood
(Reference: <1015977060.20297....@news.demon.co.uk>)
>So, you consider that there's always been a serious risk of your POP3
>password being discovered, but you never minded people reading your
>incoming mail.
That is a distortion of what I said. I do mind people reading my mail,
and should I discover that they had done so, in spite of my precautions,
I would change the password. What I have said is that that compromise is
trivial compared with the consequences of them being able to write mail
in my name. That must be prevented with far more care, the consequences
are far greater. That is why the extra precautions imposed by the
"improved" webmail are a burden.
I have a problem, it exists. Why do you find the need to try and tell me
I don't have one? I think it affects you, but you don't care, that is up
to you, and I may be wrong. If you advise me not to worry about this
will you take the responsibility for the consequences of that?
If not, prove that there is no risk or stop pontificating on how others
should live their lives.
And just because you don't understand what I am saying does not mean I
am wrong so stop digging that hole.
John Underwood
(Reference: <Xns91CFF1A7310...@158.152.254.74>)
>Given that your POP3 password is transmitted over a 128-bit SSL
>encrypted connection, why do you consider it insecure ? (Of course if
>you're using the un-encrypted version then you have only yourself to
>blame).
It isn't. Whenever I collect mail from Demon using POP3 from any machine
in the world it is sent in clear text across the Internet.
This is the point I am making. Either I stop using POP3 to collect mail
when away from home or my mail is insecure. This is not a choice I have
any ability to make. I can't turn off web mail.
I do not have myself to blame for using POP3 across the Internet, I do
blame Demon for making that a risky business by providing the means to
misuse a compromised POP3 password.
Why is everyone here suddenly an advocate for Demon? They have made a
stupendous mistake and introduced a security risk and all of a sudden,
the population of demon.service defend them.
Greg
<ab...@the-underwoods.org.uk> wrote:
>For years we have been told that the two passwords are needed because
>the POP3 password is not sufficiently secure.
Do you mean that a mail client using POP3 to read mail is sending the
password to the server unencrypted so it can be intercepted ?. I
certainly hope that's not the case as it means our business email is
wide open 8-(.
Can we have some clarification about this from the Demon staff please
?.
Greg
Richard Clayton
s-p-a-p.voyager10.demon.co.uk> writes
>On Tue, 12 Mar 2002 23:21:34 +0000, John Underwood
><ab...@the-underwoods.org.uk> wrote:
>
>>For years we have been told that the two passwords are needed because
>>the POP3 password is not sufficiently secure.
>
>Do you mean that a mail client using POP3 to read mail is sending the
>password to the server unencrypted
yes
>so it can be intercepted ?
pretty unlikely in most environments, but if you're concerned about a
particular location, then reading your email via the web interface would
avoid this problem
>. I
>certainly hope that's not the case as it means our business email is
>wide open 8-(.
if that is your concern then you presumably have it all encrypted (or do
you have a very specific threat model in mind, rather than the general
notion that many things are not encrypted because the current level of
risk is extremely low for almost everyone ?)
--
richard Richard Clayton
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin
Denis Mcmahon
>On Tue, 12 Mar 2002 23:21:34 +0000, John Underwood
><ab...@the-underwoods.org.uk> wrote:
>
>>For years we have been told that the two passwords are needed because
>>the POP3 password is not sufficiently secure.
>
>Do you mean that a mail client using POP3 to read mail is sending the
>password to the server unencrypted so it can be intercepted ?. I
>certainly hope that's not the case as it means our business email is
>wide open 8-(.
Are you accessing this business mail on a demon server using demon
connectivity?
If so, this password is only passing over demon equipment, and if
someone at demon with the ability to intercept traffic at the packet
level wishes to subvert your business emails, they are probably in a
position to do so whether they have your pop3 password or not!
Brian {Hamilton Kelly}
gr...@n-o-s-p-a-p.voyager10.demon.co.uk "Greg" writes:
> On Tue, 12 Mar 2002 23:21:34 +0000, John Underwood
> <ab...@the-underwoods.org.uk> wrote:
>
> >For years we have been told that the two passwords are needed because
> >the POP3 password is not sufficiently secure.
>
> Do you mean that a mail client using POP3 to read mail is sending the
> password to the server unencrypted so it can be intercepted ?. I
> certainly hope that's not the case as it means our business email is
> wide open 8-(.
Except with such services as https, or SSL, *all*[1] passwords pass
between client and server in the clear. If you are collecting your mail,
using POP3, from the Demon server whilst dialled in on your Demon dial-up
link then this should not be a problem, because the only people that
could possible "sniff" that password off any part of the network would be
Demon employees (and they probably have other mechanisms which /could/
permit them to access the mailspool). [I'm uncertain as to whether a
caveat should be included here for those using ADSL, since I believe at
least part of the route passes over BT Ignite's IP network before
entering Demon's.]
However, if you connect to Demon's POP3 server whilst connected through
some other ISP, or (like myself) through JANET, or whatever, then that
POP3 password could be grabbed as it passes through any of those other
networks, possibly by people that do not have contracts of employment
with Demon that would permit their being disciplined for accessing your
mail.
This has always been the case; there are other authenticaion methods for
some services, or encryption of the traffic, including the password, but
they are not deployed for the POP3 server (and it would be exceedingly
difficult so to provide such a service). It was precisely because a POP3
password is more readily compromised when accessing one's mail from
outwith the Demon network (remember, that network DOES include your
machine when it's connected through a dial-up account [or leased line])
that Demon had the useful safeguard that it had to be different from the
dial-up authenticaion password, since the latter, if stolen, could be
used to commit widespread abuse that would be indistinguishable from your
having committed such abuse. As has been said, the worst that could
happen with a compromised POP3 password is that someone could read (and
potentially delete) your mail; however, until the advent of this new
service, they couldn't send mail as appearing to originate from you,
except by a crude and readily recognizable forgery.
I tend to agree with John that this is a retrograde step. Why on earth
did none of the "Testers Group" see the yawning security hole; were they
all so enamoured of the prospect of being able to send mail through the
interface that they were blind to any security limitations? Have all the
technically-knowledgable folks that used to belong to the Testers Group
all left Demon since the dissolution of the DSC, and the new breed of
recruits are all blind Windozers?
> Can we have some clarification about this from the Demon staff please
> ?.
I'm not Demon staff; however, it isn't Rocket Science, and the potential
security loopholes are visible to anyone with a modicum of common sense
and knowledge of RFCs.
[1] Well, at least the following:
dial-up password when authenticating connection (but only from
one's dial-up connection, so only from home/office to
[158.152.1.222], which then chit-chats with the RADIUS server
to perform the authentication);
POP3 password when collecting mail with a client program, whether
using one's Demon dial-up or some other ISP/network;
dial-up password when using FTP to upload homepages; remember,
this CAN be done from other networks. ISTR we were promised
the opportunity of setting a different password for such a
use some years ago, but the facility has never materialized;
dial-up password when using FTP to download "BatchFTP"
--
Brian {Hamilton Kelly} b...@dsl.co.uk
"We have gone from a world of concentrated knowledge and wisdom to one of
distributed ignorance. And we know and understand less while being incr-
easingly capable." Prof. Peter Cochrane, formerly of BT Labs
Stuart Millington
Kelly}) wrote:
>I tend to agree with John that this is a retrograde step. Why on earth
>did none of the "Testers Group" see the yawning security hole; were they
>all so enamoured of the prospect of being able to send mail through the
>interface that they were blind to any security limitations? Have all the
>technically-knowledgable folks that used to belong to the Testers Group
>all left Demon since the dissolution of the DSC, and the new breed of
>recruits are all blind Windozers?
How do you know whether the issue was raised or not? Only the
testers group and Demon staff know that.
It is an unfair accusation, as no (non-staff) member of the testers
group can comment on what was or was not said within the group without
violating the confidentiality agreement that goes along with being a
member of the group.
If a member says "It was mentioned" they are breaking their
agreement - if they say "It was not mentioned" they are breaking their
agreement. No win. Only a Demon staff member is, AIUI, able to clarify
this.
--
------------------------------------------------------------------
- Stuart Millington -
- mailto:ph...@dsv1.co.uk http://www.z-add.co.uk/ -
- *ALL* HTML e-mail rejected -
John Underwood
(Reference: <h54u8usrv32h20t2e...@4ax.com>)
>Do you mean that a mail client using POP3 to read mail is sending the
>password to the server unencrypted so it can be intercepted ?. I
>certainly hope that's not the case as it means our business email is
>wide open 8-(.
>
>Can we have some clarification about this from the Demon staff please
>?.
Http://www.demon.net/helpdesk/products/mail/index.shtml
Which contains the following (referring to using POP3 when away from
home).
WARNING: You will be sending this password over the Internet in
unencrypted form. If you are concerned that it may have been
compromised, you should change it as soon as possible. It's a good idea
to change your password regularly anyway.
This has been stated and repeated so often by Demon staff and users with
no contradiction that it is unlikely to be false. It is an inherent
feature of POP3 and has always, in my experience, been given by Demon as
the reason they insist on a different password for POP3 if you access it
from anything other than your dial-up. The dial up password is only in
clear on the line between your phone and the Demon servers [1], the POP3
password is sent in clear when submitted through another ISP.
If you are concerned that read access to business mail is at risk if the
POP3 password is compromised, never use POP3 from elsewhere than a Demon
dial up. If you are concerned that anyone should gain access to your
dial up account never use POP3 with any ISP that does not provide a
separate password except when dialling them directly and, if they
provide a second password and then allow people to send mail using it,
don't access POP3 from anywhere other than a direct dial up.
Alternatively, the moment you have used it, rush home and dial up the
Demon web pages and change the POP3 password immediately.
[1] Actually, there is another loophole in that you can use it to change
passwords from anywhere on the Internet, but that is something you can
choose to do without losing or compromising essential services.
John Underwood
demon.service
(Reference: <101598...@dsl.co.uk>)
>[I'm uncertain as to whether a caveat should be included here for those
>using ADSL, since I believe at least part of the route passes over BT
>Ignite's IP network before entering Demon's.]
Surely there is no significant difference from the parts of the route
that pass through BT or other telephone providers for an analogue
connection?
James Coupe
Dean <ab...@industrial.demon.co.uk> writes:
>"John Underwood" <ab...@the-underwoods.org.uk> wrote in message
>news:fzomfDOp...@MID.the-underwoods.org.uk...
>> You needed a different password to access POP3 in order to read mail by
>> POP3 from a different system than Demon or to access your web mail.
>>
>> The different password was required because the POP3 password is sent in
>> plain text across the Internet and, therefore, is vulnerable.
>
>Not if you're using the webmail website, it isn't.
If you're using *only* the https:// version, sure.
However, if you packet sniff my POP3 password from normal collection
purposes (which is perfectly possible), you can now send mail in my
name. You never could before.
John Underwood
demon.service
(Reference: <101598...@dsl.co.uk>)
>I'm not Demon staff; however, it isn't Rocket Science, and the
>potential security loopholes are visible to anyone with a modicum of
>common sense and knowledge of RFCs.
The risks in most cases are controllable - a customer doesn't have to
use them as a matter of course and knows when they have been used so can
estimate the risk of that particular occasion (which includes choosing
whether to use the dial-up password from elsewhere than Demon).
The exception is the use of the POP3 password. Clearly, if this is used
for accessing mail on any extended trip away from home, the risk is
unavoidable. However, if the consequence of compromise is to allow read
only access to mail, this is not necessarily a grave problem. The normal
dial up is not compromised, the account can't be accessed and mail can't
be sent in the user's name.
The first of these safety measures remains. The second, however, has
been given away. I rarely if ever have a need for cyber cafes, I have
hardly ever needed to access web mail even to read mail - the most
significant stuff is encrypted anyway so there is no point and it can't
be read or written using the web mail service. Indeed, the web mail
service doesn't allow me to send mail using my own domain as the From:
address so I don't have any use for it - except, possibly, in an
emergency when a telephone would probably be quicker, cheaper and
certainly more convenient.
I have, therefore, very little need to take exceptional steps to
guarantee the safety of my POP3 password - it is only placed on machines
I control or know extremely well. Regular changes (which need not be too
frequent in view of the low risk) are probably enough.
Now, without any change in my circumstances, the risk has increased.
There is a need to prevent someone writing mail in my name - not just
doing it using any or no ISP but sending mail using my hostname from a
machine owned and operated by my ISP. This need is orders of magnitude
greater than the need to prevent mere read access.
The consequent precautions may be too expensive to bear - having to
question whether I can risk using my POP3 password anywhere but at home,
for example, would remove much of the purpose of my Internet account.
I do make use of other ISPs, but they are all throw-away accounts and
not used in the normal course of events, moreover, no-one knows that I
use them so mail from me has to be authenticated by other means. There
is a world of a difference when mail may appear to come from me through
my own host at Demon.
I cannot, however, use any ISP which only provides the one password for
POP3 and Dial-up. The cost of another security conscious provider as
Demon used to be will probably be great, but considerably cheaper than
any alternative.
It is my perception of the change in Demon's attitude to security that
is probably more damaging than anything else. They have always, by the
concern they have shown for this dual password, shown a clear understand
of security and the need for it. What else have they changed that this
more obvious insecurity is permitted?
Incidentally, Brian, if you are not a tester, you don't know who is. So
how can you say that those raising the issue here have not already done
so as testers? Clearly this can only be speculation here, but if the
matter were raised by the testers, and then not addressed, Demon would
be doubly damned for incompetence, insecurity or hypocrisy.
John Underwood
(Reference: <Bky0iaD7...@gratiano.zephyr.org.uk>)
>However, if you packet sniff my POP3 password from normal collection
>purposes (which is perfectly possible), you can now send mail in my
>name. You never could before.
The point is nothing to do with the security or lack of it when
accessing the web site whether http or https. The password is inherently
capable of being compromised whenever it is used for its normal purpose
of accessing (read-only) mail from the POP3 box. Now, without any choice
in the matter, we have the same risk of compromise, merely for the
normal use of POP3, enabling others to send mail. I don't intend to use
web mail, I am very happy that others who do need it can send mail that
way should they so wish.
I now would like to be able to use POP3 for the purpose for which it was
designed. Could Demon, do you think, manage to provide that service
without the risk it presents for mail to be written by a facility I
can't turn off?
And yes, I am repeating myself. Only one of two things will stop me
doing so, Demon coming to its senses or me moving to another ISP who
doesn't kick a loyal customer in the teeth over the issue which has been
more significant than any other in creating the loyalty.
(I doubt whether the balance of my initial ADSL contract is enough
incentive to delay such a move - it would be fascinating to hear Demon
argue in court that this was not a sufficiently big change in the nature
of my contract to warrant unilateral termination).
Greg Middleton
<gr...@n-o-s-p-a-p.voyager10.demon.co.uk> wrote:
>Do you mean that a mail client using POP3 to read mail is sending the
>password to the server unencrypted so it can be intercepted ?. I
>certainly hope that's not the case as it means our business email is
>wide open 8-(.
>
>Can we have some clarification about this from the Demon staff please
Thanks for all the helpfull replies, with the notable exception of any
statement from Demon themselves about this aparent widening of a
security loophole 8-(.
We are normally accessing via a Demon dialup which I understand is
secure BUT had no idea that we were at risk if anyone uses a non-Demon
dialup to pull their email when overseas. The possibility that someone
could aquire this password and so be able to read our mail is bad
enough, but now they could forge emails from us, a wonderfull step
foreward Demon.
I take the point about the lack of encription within emails themselves
but it's completely unrealistic to expect everyone of our many
hundreds of customers and suppliers to install some sort of
encription.
Greg
Malcolm Muir
[snip]
> If a member says "It was mentioned" they are breaking their
>agreement - if they say "It was not mentioned" they are breaking their
>agreement. No win. Only a Demon staff member is, AIUI, able to clarify
>this.
To save discussion / embarasment of testers group members. It was
discussed by the testers prior to launch.
--
Malcolm S. Muir Demon Internet
Sunderland 322 Regents Park Road
England London N3 2QQ
John Underwood
(Reference: <9c8u8ukl0i1vgupu3...@4ax.com>)
>I take the point about the lack of encription within emails themselves
>but it's completely unrealistic to expect everyone of our many hundreds
>of customers and suppliers to install some sort of encription.
It isn't that unrealistic, but it is a step many would think (but
probably not find) daunting. Of course, negative and hostile publicity
[1] has damaged the chances of this becoming widespread and the absence
of mail clients that make life easy [2] is not a help. The fact is that
this security problem highlights the lack of envelopes in e-mail. Can
you imagine the steps you would need if the use of envelopes in paper
mail was considered a symbol of deception, fraud and unwarranted
concealment?
The parallel works quite well - you would probably be quite safe sending
information on postcards through the post office, but were part of the
route to go through unknown couriers would you be so happy?
Were a message to be delivered as if from you by the courier, it would
probably not be too much of a problem (parallel - a spoofed address) if,
however, it were clearly carried all the way by the Post Office, then
the deception would be considerably more significant.
In your case, however, should you not be using an SSL web site which, at
least, would allow customers to place orders and give credit card
details with some measure of security.
In my experience, it is not the customers that are the problem - you may
not be able to expect them to have encryption, but it is their data,
rather than yours, which is most at risk. Were I a customer of yours and
need to communicate in confidence by means other than SSL, e.g. to
change the card number for an existing but incomplete transaction (the
card had changed) could you receive my message by PGP?
I have found this problem twice recently, once with a small Internet
order - they couldn't deliver immediately and I lost the card before
they would have presented it. The other was slightly more significant -
Demon would not accept an email, even a signed and encrypted one as
proof that I placed the order, but they would have accepted a FAX since
that, apparently, couldn't be forged whereas email could. [3]
[1] Why do you need encryption, what have you got to hide - or the
suggestion that PGP was responsible for 11 September when it is more
likely to have been a plain text message "kiss the twins on Tuesday" has
not helped.
[2] Turnpike handles PGP at least as well as any others and far better
than some.
[3] Ironic - I have Demon ADSL and no dial-up. The headers would show
almost conclusively, that the email had emanated from one building in
the world and no other and gone directly into the Demon system.
Apparently, the reason is that if it were a business, this would not
show that the order came from someone authorised to place it, clearly a
fax can do that without question. From that and other evidence, it
appears that the Demon customer records give no indication whether a
customer is a large company, a one-man business or a private individual
or family.
James Coupe
Muir <mal...@demon.net> writes:
>To save discussion / embarasment of testers group members. It was
>discussed by the testers prior to launch.
Can you also reveal what the discussions suggested about the potential
security implications of the change? (I'm not expecting you to be able
to, but it'd be nice.)
Mark Knight
<ab...@the-underwoods.org.uk> writes
>Please note that any mail appearing to be from me which uses my demon
>hostname is a forgery.
To me this makes no sense. Prior to the introduction of the new webmail
service, did you send every mail from your demon connected host?
If not, unless you published a list of those secure hosts that you did
post from, any mail claiming to be from you is potentially a forgery,
unless it's signed in some cryptographically secure way.
Personally, I'm far more concerned about people reading my mail, than
sending forgeries. Indeed, it's for this reason that my mail is
delivered directly to one of a pair of machines that I do trust, and I
use an ssh port forwarding to pop my mail from them.
However, I can't stop people faking mail with whatever fake headers they
choose, so I don't even try. Any mail claiming 'From: ma...@knigma.org'
might be from me, only those PGP signed are likely to be provably from
me. However, since I don't store my PGP private key in a hardware
security module, and someone might have somehow sniffed my private key's
pass phrase (and stolen my backups), even this should be questioned.
I expect people to whom I send mail to understand these risks. I'm
willing to explain these risks if necessary. However, if they still
don't understand the risks, then I probably don't care whether they
believe a forged mail is from me or not.
--
Mark A. R. Knight
Tel: +44 7973 410732 http://www.knigma.org/
John Underwood
(Reference: <Hjsp71Hz...@lap.knigma.org>)
>To me this makes no sense. Prior to the introduction of the new webmail
>service, did you send every mail from your demon connected host?
You misunderstood, I meant with my Demon host name which you don't know
and don't need to know.
You have clearly and deliberately misunderstood the concern I express.
Demon have compromised security. I am not prepared to accept that and
will now look for another ISP who operate safely. It won't be cheaper in
terms of money, they are all even worse and always were, it is Demon's
move towards them that I find so distressing.
By all means continue to defend Demon, but if it is because you can't
understand the point that I am making you are probably more vulnerable
to the dangers I am trying to warn about. However, there is no point in
arguing here, with one or two exceptions, apart from me everyone here is
a Demon sycophant. (Now doesn't that sound familiar - but the wrong way
round).
Mark Knight
<ab...@the-underwoods.org.uk> writes
>On Wed, 13 Mar 2002 at 11:06:16, Mark Knight wrote in demon.service
>(Reference: <Hjsp71Hz...@lap.knigma.org>)
>
>
>>To me this makes no sense. Prior to the introduction of the new
>>webmail service, did you send every mail from your demon connected host?
>
>You misunderstood, I meant with my Demon host name which you don't know
>and don't need to know.
>
>You have clearly and deliberately misunderstood the concern I express.
>Demon have compromised security. I am not prepared to accept that and
>will now look for another ISP who operate safely. It won't be cheaper
>in terms of money, they are all even worse and always were, it is
>Demon's move towards them that I find so distressing.
I may have misunderstood you. However, I can assure you that this is not
deliberate, and I resent the unfounded assertion that it is.
>By all means continue to defend Demon, but if it is because you can't
>understand the point that I am making you are probably more vulnerable
>to the dangers I am trying to warn about. However, there is no point in
>arguing here, with one or two exceptions, apart from me everyone here
>is a Demon sycophant. (Now doesn't that sound familiar - but the wrong
>way round).
I am not a Demon sycophant. I just don't happen to agree with my current
understanding of your objection.
I would be quite happy if Demon were to implement a per subscriber flag
to disable the webmail posting facility, but I presently see no
technical argument in favour of this.
Phil Harrison
<ab...@the-underwoods.org.uk> writes
>
>Now anyone who gets hold of your POP3 password can send mail in your
>name. Of course this has always been possible with other ISPs, now Demon
>has removed that final barrier which allow people to criticise it for
>not being like the rest.
>
John, I have no idea what your POP3 password is, but I could still send
an e-mail in your name. Admittedly it would be traceable, and I would
undoubtedly be in violation of Demon's mail AUP, but it's not that
difficult.
There is a problem in the received headers when using Webmail as can be
seen from this example when I sent an e-mail from my home address using
webmail via my work PC as follows:
Received: from pop3.demon.co.uk by generac.demon.co.uk with POP3
id <"generac.1016014667:10:08328:39".gen...@pop3.demon.co.uk>
for <gen...@pop3.demon.co.uk> ; Wed, 13 Mar 2002 10:33:56 +0000
Return-Path: <phar...@ramtop.demon.co.uk>
Received: from punt-1.mail.demon.net by mailstore for
phar...@generac.co.uk
id 1016014667:10:08328:39; Wed, 13 Mar 2002 10:17:47 GMT
Received: from anchor-post-35.mail.demon.net ([194.217.242.93])
by punt-1.mail.demon.net id ai1100435; 13 Mar 2002 10:17 GMT
Received: from pr-webmail-1.demon.net ([194.159.244.51]
helo=web.mail.demon.net)
by anchor-post-35.mail.demon.net with smtp (Exim 3.35 #1)
id 16l5iX-000AMu-0Z; Wed, 13 Mar 2002 10:10:45 +0000
Received: from ramtop.demon.co.uk ([194.222.183.188])
by web.mail.demon.net with http; Wed, 13 Mar 2002 10:10:45 +0000
Note that the last received line implies that ramtop.demon.co.uk
resolves to [194.222.183.188]. This is incorrect and misleading
([194.222.183.188] is the actual IP address of the PC used to send the
e-mail but it was not ramtop.demon.co.uk). If this could be fixed to
provide a correct reverse DNS lookup it would be a bit more obvious
where any forgeries were coming from.
--
Phil Harrison
michael lefevre
> On Tue, 12 Mar 2002 at 22:33:51, Anthony wrote in demon.service
> (Reference: <l60t8uc33upe4da64...@4ax.com>)
>
>
>>People have always been able to send mail in any Demon subscriber's
>>name, providing they have the technical knowledge to do so, which is
>>why so many Demon customers have been affected by the spate of forged
>>UBE and resultant bounce messages.
>
> And anyone who knows what they are doing can see instantly that the
> messages to which you refer are forgeries. I am talking here about
> people sending out email in my name from my account and from a Demon
> machine. Nobody has been able to do that before without knowledge of the
> dial up password. Now they can with the POP3 password.
I don't see this makes as much difference as you seem to imply. Most
people don't fall into the "knows what they are doing" category, and
wouldn't be able to tell a simple forged From: address from a genuine
message from you.
Anyone who does know what they are doing can see from the headers whether
the email originated from your Demon host, or from some other IP, but
using your account through Demon's webmail.
Seems to me your issue could be resolved entirely if the webmail
Received: header didn't lie (in a non-RFC-compliant way, i think) about
receiving from your hostname (although the sending IP is given), but gave
the rDNS of the sending host. To include the Demon hostname, they could,
like some other webmail systems, use a X-Demon-webmail-login:
somehost.demon.co.uk.
The fact that the web page design is pants (for the reasons already given
by others re 640x480, inaccessibility...) is, I think, a bigger issue.
--
michael
Mark Knight
<michae...@michaellefevre.com> writes
>Seems to me your issue could be resolved entirely if the webmail
>Received: header didn't lie (in a non-RFC-compliant way, i think) about
>receiving from your hostname (although the sending IP is given), but gave
>the rDNS of the sending host. To include the Demon hostname, they could,
>like some other webmail systems, use a X-Demon-webmail-login:
>somehost.demon.co.uk.
I've been staring at the headers, and I agree that the first received
line is too confusing people who don't know the eccentricities of the
Demon webmail implementation to be useful.
However, if the reverse lookup was correct, I guess some people would
complain that they don't want the domain of their employer to be shown
when they post from work. The IP address alone is better in this
respect.
I think the addition of a 'X-Demon-webmail-login:' style header is an
excellent suggestion.
Dave Roberts
Some security tips for the paranoid: -
Always lock your workstation when you leave it for more than 10 seconds
Make sure your keyboard is not visible when entering passwords.
Ensure that your room is lead lined with no windows.
Sweep the room for bugs before booting your pc.
Remove the network cable so no-one can compromise your machine and
passwords.
And always remember, they _are_ out to get you.
HTH,
Dave
Andrew Gillett
now, due to the width and design of the table. It would be a lot better if
it used the full width of the browser window like the old WebMail system.
Dave Roberts
> In article <h54u8usrv32h20t2e...@4ax.com>
> gr...@n-o-s-p-a-p.voyager10.demon.co.uk "Greg" writes:
>
>[I'm uncertain as to whether a
> caveat should be included here for those using ADSL, since I believe at
> least part of the route passes over BT Ignite's IP network before
> entering Demon's.]
>
And Demon Express is the only Demon service that forces you to use POP3 to
collect mail. Irony anyone?
Dave
Simon Colebrook
underwoods.org.uk says...
>
> Now anyone who gets hold of your POP3 password can send mail in your
> name. Of course this has always been possible with other ISPs, now Demon
> has removed that final barrier which allow people to criticise it for
> not being like the rest.
>
chosen here!
Rather than a per-user flag for Webmail sending ability, would it not be
simpler to have a separate Webmail password.
Then, those that do not share your security concern can set it to the
same as their POP3 password. Those that do, can have a different
password and (hopefully) be safe in the knowledge that the ability to
send mails is secured by the https-only transmission of the password. If
one has no intention of using Webmail then one can set it to a full
length string of random characters.
I am imagining (on the basis of pure speculation) that this is easier to
implement than the per-user system as envisaged above.
Personally, I do not care which method is used as my company only ever
uses SMTP to receive mail. I have, on occasion (sticky punts, etc) used
the Webmail interface but have no intention of using it for sending
mail.
I can, however, see your point and maybe those trying to persuade you
that
"it is not a significant security risk"
would do well to add
"to my set of circumstances"
at the end of the statement.
Regards
Simon Colebrook
Bob Cousins
>On Wed, 13 Mar 2002 at 10:01:10, Greg Middleton wrote in demon.service
>(Reference: <9c8u8ukl0i1vgupu3...@4ax.com>)
>
>
>>I take the point about the lack of encription within emails themselves
>>but it's completely unrealistic to expect everyone of our many hundreds
>>of customers and suppliers to install some sort of encription.
>
>It isn't that unrealistic, but it is a step many would think (but
>probably not find) daunting.
You can be prosecuted for not supplying the password for encrypted
documents, if requested by the police. It would be a nightmare for
companies to handle encrypted email, unless they have a bullet proof
system that ensures that the right key(s) are always kept for each
email. Its a lot easier to avoid the risk and use plain text.
--
Bob Cousins.
Please remove $NOSPAM$ to reply.
John Underwood
(Reference: <1016020529.16978....@news.demon.co.uk>)
>Some security tips for the paranoid
I am not paranoid, I take carefully designed steps to ensure security.
One of those steps was to use an ISP which does not allow outgoing mail
to be sent solely with the POP3 password.
None of the advice you gave was relevant unless considered in the
context of the possible threat. Most of it is irrelevant in the face of
my perceived threat. That threat has now changed and the assessment has
changed. Demon do not provide the facilities I need. They could still
do, but do not appear to be interested in doing so. That is fair enough,
I don't have to use them, and they don't have to provide me with what I
want.
Bob Cousins
>On Wed, 13 Mar 2002 at 11:06:16, Mark Knight wrote in demon.service
>(Reference: <Hjsp71Hz...@lap.knigma.org>)
>
>
>>To me this makes no sense. Prior to the introduction of the new webmail
>>service, did you send every mail from your demon connected host?
>
>You misunderstood, I meant with my Demon host name which you don't know
>and don't need to know.
You mean jandsu.demon.co.uk?
I am hardly a Demon sycophant, and I know it is annoying when a new
version leaps in and removes useful features, but I really can't see
what the fuss is about. Email is simply not that secure that this
change represents a big compromise. Obviously the importance of the
compromise is subjective, but it looks like you are in a minority
(that doesn't mean your opinion is "wrong"...just different).
It is true being read-only gave me some confidence when accessing at
net cafes, but people must use "insecure" web mail at these places all
the time. Provided you remember to log out, I can't see a problem.
I think if any recipients think that email could never be forged, they
need educating.
I don't think Demon were very clever springing this on everyone, and
not even putting in a simple backward compatibility. How hard would it
be to have an option on your account that makes webmail read only?
Chris Cowdery
> I am delighted with the new Demon Webmail service particularly with the
> ability to reply and to sort by date. I have the following suggestions:
I am not so delighted - you can't view anything over 1MByte.
I use it at work to screen and zap any large e-mails that I don't want
to download over my modem.
I can't do that any longer.
Why has the limit been introduced?
Chris.
John Underwood
(Reference: <a1hu8u8d2rrpamcoi...@4ax.com>)
>ts a lot easier to avoid the risk and use plain text.
Considerably so than learning the law on subject as is demonstrated by
this posting.
Did you know that you could be sent to prison for twenty years for
writing what you have done there?
Dave Roberts
> On Wed, 13 Mar 2002 at 11:55:29, Dave Roberts wrote in demon.service
> (Reference: <1016020529.16978....@news.demon.co.uk>)
>
>
> >Some security tips for the paranoid
>
> I am not paranoid, I take carefully designed steps to ensure security.
> One of those steps was to use an ISP which does not allow outgoing mail
> to be sent solely with the POP3 password.
>
> None of the advice you gave was relevant unless considered in the
> context of the possible threat. Most of it is irrelevant in the face of
> my perceived threat. That threat has now changed and the assessment has
> changed. Demon do not provide the facilities I need. They could still
> do, but do not appear to be interested in doing so. That is fair enough,
> I don't have to use them, and they don't have to provide me with what I
> want.
> --
I am sorry that you found my advice to be irrelevant especially the removal
of the network cable. Maybe I should add power cable to the list as well.
Dave
John Underwood
(Reference: <MPG.16f95596a...@news.clara.net>)
>I can, however, see your point
Thank you, I don't mind crying in the wilderness, and in any case, if
Demon wants to be inhabited by customers who have no concern about
security that is their business, I just don't want to be one of them.
>and maybe those trying to persuade you that
They will fail whatever they do, so far no-one who has argued against me
has seen any need for the kind of security I am talking about.
>
>"it is not a significant security risk"
>
>would do well to add
>
>"to my set of circumstances"
>
>at the end of the statement.
Hear! Hear!
John Underwood
(Reference: <rehu8us9s6vverg6d...@4ax.com>)
>It is true being read-only gave me some confidence when accessing at
>net cafes, but people must use "insecure" web mail at these places all
>the time. Provided you remember to log out, I can't see a problem.
>
If it were my use in cybercafes I would not be concerned - to do that
would require precautions I have not needed. Now it doesn't matter where
I make my calls - via my laptop anywhere for example, but on my machine.
Precautions are needed because other people have a benefit. I object. It
is costing me extra effort and I will not pay it.
>I think if any recipients think that email could never be forged, they
>need educating.
True, so how are you going to do that?
And in any case, how do I know since I didn't realise they had based
their judgement and their decision on a message I didn't even know they
had received but which they believed came from me since it used my
details and came from my ISP?
I already have most of the defence against that in place and in use. I
am now more concerned about the other security changes Demon are
throwing at us without testing and listening carefully to the testers
comments - these comments appear to have been made and they appear to
have been ignored but we will never know here.
John Underwood
(Reference: <1016023691.18361....@news.demon.co.uk>)
>I am sorry that you found my advice to be irrelevant especially the
>removal of the network cable. Maybe I should add power cable to the
>list as well.
You missed the qualification to the description as irrelevant - without
taking account of my circumstances.
What purpose would be served by removing a power cable from a laptop?
James Coupe
In message <a1hu8u8d2rrpamcoi...@4ax.com>, Bob Cousins
<bob@$NOSPAM$lintilla.demon.co.uk> writes:
>You can be prosecuted for not supplying the password for encrypted
>documents, if requested by the police.
The RIP act is rather more subtle than that. (Section 49 and Schedule 2
of RIP 2000 being useful references here.)
>It would be a nightmare for
>companies to handle encrypted email, unless they have a bullet proof
>system that ensures that the right key(s) are always kept for each
>email. Its a lot easier to avoid the risk and use plain text.
If you have good reason not to have a key, it's possible to say so.
It is also possible to *keep* things in plain-text but not to pass them
around in plain-text, using one backed-up key (perhaps) to secure that
storage.
Dave J.
uk.net.regulation, 'James Coupe' remarked:
>>You can be prosecuted for not supplying the password for encrypted
>>documents, if requested by the police.
>
>The RIP act is rather more subtle than that. (Section 49 and Schedule 2
>of RIP 2000 being useful references here.)
>
>>It would be a nightmare for
>>companies to handle encrypted email, unless they have a bullet proof
>>system that ensures that the right key(s) are always kept for each
>>email. Its a lot easier to avoid the risk and use plain text.
>
>If you have good reason not to have a key, it's possible to say so.
>
>It is also possible to *keep* things in plain-text but not to pass them
>around in plain-text, using one backed-up key (perhaps) to secure that
>storage.
Better yet, keep them under 'rubberhose', an elegant idea that
combines deniable ("how many files do you have, your HD's full of
random numbers") steganography with encryption.
http://www.rubberhose.org/
For file transfer we need a utility that makes a connection, generates
a random PGP key pair, sends the public part, receives the data sent
under the public half and then decrypts it. All without *ever* logging
or writing the keypair to disk.
--
Dave Johnson : req...@freeuk.com
Anthony
<m...@127.0.0.1> wrote:
>
>And always remember, they _are_ out to get you.
>
It's always remembering too what Kevin Mitnick said; that 90% of his
successful intrusion attempts were social engineering hacks, rather
than anything overtly technical. By far the easiest way of gaining
unauthorized access is to obtain a legitimate user's username and
password; by far the easiest way to obtain that username and password
is to ring the user and ask for it.
--
Anthony
ant...@catfish.demon.co.uk
Anthony
<ab...@the-underwoods.org.uk> wrote:
>
>You misunderstood, I meant with my Demon host name which you don't know
>and don't need to know.
>
Check the Path line in the posting I am replying to.
--
Anthony
ant...@catfish.demon.co.uk
Dave Roberts
[snip]
> You missed the qualification to the description as irrelevant - without
> taking account of my circumstances.
Are you sure?
>
> What purpose would be served by removing a power cable from a laptop?
> --
Now you are trying to trick me. Tsk tsk shame on you. Correction should
read "power cable and battery" for laptop users. Can someone add this to
the FAQ?
Dave Roberts
news:r1lu8u0lh235e3gio...@4ax.com...
[snip]
> than anything overtly technical. By far the easiest way of gaining
> unauthorized access is to obtain a legitimate user's username and
> password; by far the easiest way to obtain that username and password
> is to ring the user and ask for it.
>
What's your number?
Andy
<bob@$NOSPAM$lintilla.demon.co.uk> wrote
[]
>You can be prosecuted for not supplying the password for encrypted
>documents, if requested by the police. It would be a nightmare for
>companies to handle encrypted email, unless they have a bullet proof
>system that ensures that the right key(s) are always kept for each
>email. Its a lot easier to avoid the risk and use plain text.
>
--
Andy [Editor, Austrian Philatelic Society]
For Austrian philately <URL:http://www.kitzbuhel.demon.co.uk/austamps>
For Lupus <URL:http://www.kitzbuhel.demon.co.uk/lupus>
For my other interests <URL:http://www.kitzbuhel.demon.co.uk>
Bob Cousins
>Better yet, keep them under 'rubberhose', an elegant idea that
>combines deniable ("how many files do you have, your HD's full of
>random numbers") steganography with encryption.
>http://www.rubberhose.org/
>
>For file transfer we need a utility that makes a connection, generates
>a random PGP key pair, sends the public part, receives the data sent
>under the public half and then decrypts it. All without *ever* logging
>or writing the keypair to disk.
Yeah, whatever, it's irrelevant. Given that the competence of most IT
departments only runs to Microsoft Exchange and Outlook Express, they
are not going to get involved in encryption if it presents *any*
technical or legal problems.
Amateur experts here may understand the finer points of the law better
than I do, but IT departments don't generally have their systems
checked over by lawyers.
It costs money, there's no demand, and there are legal issues. It
isn't going to happen.
Bob Cousins
>On Wed, 13 Mar 2002 at 12:25:23, Bob Cousins wrote in demon.service
>(Reference: <a1hu8u8d2rrpamcoi...@4ax.com>)
>
>
>>ts a lot easier to avoid the risk and use plain text.
>
>Considerably so than learning the law on subject as is demonstrated by
>this posting.
>
>Did you know that you could be sent to prison for twenty years for
>writing what you have done there?
Actually, I changed my mind, your opinion is bollocks.
Andy
Roberts <m...@127.0.0.1> wrote
[
>
>What's your number?
>
>
Whitehall 1212
Chris Hedley
> Some security tips for the paranoid: -
>
> Always lock your workstation when you leave it for more than 10 seconds
>
> Make sure your keyboard is not visible when entering passwords.
>
> Ensure that your room is lead lined with no windows.
>
> Sweep the room for bugs before booting your pc.
>
> Remove the network cable so no-one can compromise your machine and
> passwords.
These are pretty much the guidelines (well, a subset of them) for
secure government installations.
> And always remember, they _are_ out to get you.
And that one is almost certainly true for the above installations!
Chris.
Clive D. W. Feather
<gr...@n-o-s-p-a-p.voyager10.demon.co.uk> writes
>Do you mean that a mail client using POP3 to read mail is sending the
>password to the server unencrypted so it can be intercepted ?
Yes, that's correct.
The other way of sending passwords to a POP3 server is APOP. However,
this requires the server operator to keep your plaintext password;
something that Demon doesn't do.
--
Clive D.W. Feather, writing for himself | Home: <cl...@davros.org>
Tel: +44 20 8371 1138 (work) | Web: <http://www.davros.org>
Fax: +44 870 051 9937 (NOTE CHANGE) | Work: <cl...@demon.net>
Written on my laptop; please observe the Reply-To address
Clive D. W. Feather
<ab...@the-underwoods.org.uk> writes
>It is as I meant. If you want your mail to be secure, you must not
>leave your POP3 password anywhere where someone other than yourself can
>see it. In the past it was probably safe to leave it on an office
>system (i.e. where you work) since the worst that could happen would be
>people read your mail.
Or they could delete it before you saw it.
You may not have completely thought through your threat model.
Richard Clayton
>You can be prosecuted for not supplying the password for encrypted
>documents, if requested by the police.
That will be true when Part III of the RIP Act 2000 is activated.
Currently no date for this has been set - so at present that's not
correct.
>It would be a nightmare for
>companies to handle encrypted email, unless they have a bullet proof
>system that ensures that the right key(s) are always kept for each
>email.
If you say that you don't have the key any more then it would be
necessary for the prosecution to prove that you are lying.
If you're telling the truth then there must be some considerable
expectation that the Court will believe your story sufficiently for the
case not to succeed.
>Its a lot easier to avoid the risk and use plain text.
Life is full of risks ... the risk run by a legitimate business in
having its encrypted email intercepted, being unable to provide the
plaintext and then being successfully prosecuted seems to me to be
vanishingly small.
The risk of having email read by unauthorised people during its travel
from end to end (or its misdirection to the wrong destination) is also
small ... but, it seems to me to be the somewhat greater risk.
The Law Society already recommends that email containing confidential
material be encrypted wherever possible. I expect many other
professional and trade bodies to take the same line over the next few
years. Failure to encrypt something sensitive may end up looking like
negligence and that is itself risky.
--
richard Richard Clayton
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin
Anthony
<m...@127.0.0.1> wrote:
>
>What's your number?
>
I am not a number, I am a free man!
--
Anthony
ant...@catfish.demon.co.uk
Dave J.
uk.net.regulation, 'Bob Cousins' remarked:
>Dave J. wrote:
>
>>Better yet, keep them under 'rubberhose', an elegant idea that
>>combines deniable ("how many files do you have, your HD's full of
>>random numbers") steganography with encryption.
>>http://www.rubberhose.org/
>>
>>For file transfer we need a utility that makes a connection, generates
>>a random PGP key pair, sends the public part, receives the data sent
>>under the public half and then decrypts it. All without *ever* logging
>>or writing the keypair to disk.
>
>Yeah, whatever, it's irrelevant. Given that the competence of most IT
>departments only runs to Microsoft Exchange and Outlook Express, they
>are not going to get involved in encryption if it presents *any*
>technical or legal problems.
That's a good thing, business IT departments are among the potential
enemies and are part of the reason the real users need encryption to
safeguard their privacy.
>Amateur experts here may understand the finer points of the law better
>than I do, but IT departments don't generally have their systems
>checked over by lawyers.
Yeah, they're usually pretty immune to legal consequences anyway.
>It costs money, there's no demand, and there are legal issues. It
>isn't going to happen.
Ever heard of FreeBSD?
Dave J.
--
Keep Crime off the Net, Keep Laws and Judges OUT!
Unknown
<ab...@the-underwoods.org.uk> wrote:
>
>I dare not use my POP3 passwords where it may be discovered.
>
If the authenticity of your mail is that critical, should you not be
using some kind of digital signature?
--
Cheers, Des
John Underwood
(Reference: <12ou8ucdksh1taeds...@4ax.com>)
>Actually, I changed my mind, your opinion is bollocks.
Why, you could be sent to prison for saying that too? It would require
no more distortion of the law than your earlier assumptions about police
action.
John Underwood
demon.service
(Reference: <10VzsmVb...@romana.davros.org>)
>Or they could delete it before you saw it.
As you point that out, I would suggest that web mail has always been
defective in that it allowed that to happen and, therefore, it should
always have been possible to disable it for any form of access.
>
>You may not have completely thought through your threat model.
True, but I would still put that threat a long way below the ability to
send mail and I believe I have proportionate defences against it. Now
the nature of the threat and its consequences is such that the defences
I have are no longer proportionate and I am forced to change the patter
because Demon have provided others with a benefit (and I don't dispute
that it is a benefit). I just don't want to have to bear the cost of the
disadvantage. I might as well use a cheaper ISP which has never
pretended to give security.
John Underwood
demon.service
(Reference: <pnaEYVWm...@romana.davros.org>)
>The other way of sending passwords to a POP3 server is APOP. However,
>this requires the server operator to keep your plaintext password;
>something that Demon doesn't do.
I have long wondered why not? After all, it would only be used for POP3,
not for login, and it could be deposited securely, within a local
dial-up.
John Underwood
(Reference: <mclu8ughn7q2ff9po...@4ax.com>)
>On Wed, 13 Mar 2002 11:15:39 +0000, in demon.service John Underwood
><ab...@the-underwoods.org.uk> wrote:
>
>>
>>You misunderstood, I meant with my Demon host name which you don't know
>>and don't need to know.
>>
>
>Check the Path line in the posting I am replying to.
>
So? IT makes not a jot of difference to the insecurity of the web mail
service.
Stuart Millington
wrote:
>To save discussion / embarasment of testers group members. It was
>discussed by the testers prior to launch.
Thank you.
--
------------------------------------------------------------------
- Stuart Millington -
- mailto:ph...@dsv1.co.uk http://www.z-add.co.uk/ -
- *ALL* HTML e-mail rejected -
James Coupe
<ab...@the-underwoods.org.uk> writes:
>>Or they could delete it before you saw it.
>
>As you point that out, I would suggest that web mail has always been
>defective in that it allowed that to happen and, therefore, it should
>always have been possible to disable it for any form of access.
Anyone who had the POP3 password for doing this via web-mail could do it
anyway, by just telnetting to pop3.demon.co.uk and issuing DELE
commands.
Richard Clayton
<ab...@the-underwoods.org.uk> writes
>On Wed, 13 Mar 2002 at 10:06:30, Clive D. W. Feather wrote in
>demon.service
>(Reference: <pnaEYVWm...@romana.davros.org>)
>
>
>>The other way of sending passwords to a POP3 server is APOP. However,
>>this requires the server operator to keep your plaintext password;
>>something that Demon doesn't do.
>
>I have long wondered why not?
it significantly changes the risk profile for protection of the server
> After all, it would only be used for POP3,
>not for login, and it could be deposited securely,
an interesting concept of itself
> within a local
>dial-up.
this doesn't sound right... it would have to be in a database that the
POP3 server had access to
James Coupe
<ric...@highwayman.com> writes:
>>>The other way of sending passwords to a POP3 server is APOP. However,
>>>this requires the server operator to keep your plaintext password;
>>>something that Demon doesn't do.
>>
>>I have long wondered why not?
>
>it significantly changes the risk profile for protection of the server
Can I ask what's so special about APOP that it can't be stored in a
similar fashion to /etc/passwd type things i.e. post-crypto?
John Underwood
(Reference: <c4rz1Ace...@gratiano.zephyr.org.uk>)
>Anyone who had the POP3 password for doing this via web-mail could do
>it anyway, by just telnetting to pop3.demon.co.uk and issuing DELE
>commands.
A good point and, as I went on to point out, this was part of my threat
analysis, and not considered to require the level of defence that is now
required.
I don't give a damn if anyone thinks I am wrong. My estimate of the
situation is that the cost to me of having unavoidable web-mail sending
is unacceptable. That is solely my decision and I will take the
appropriate step. The cheapest solution for me would be that I be
allowed to disable web-mail sending on my account.
Why should one customer's needs be denied in order to provide something
for some others - not all by any means. How many customers does Demon
expect to gain by this step? How many will it actually lose? They may
gain a customer or more, but it is looking increasingly as if they will
certainly lose at least one. A little less intransigence might have
helped.
Remember Demon, I pay you, the relationship is not the other way round
and can easily be terminated.
michael lefevre
> In message <bs819cBT...@highwayman.com>, Richard Clayton
> <ric...@highwayman.com> writes:
>>>>The other way of sending passwords to a POP3 server is APOP. However,
>>>>this requires the server operator to keep your plaintext password;
>>>>something that Demon doesn't do.
>>>
>>>I have long wondered why not?
>>
>>it significantly changes the risk profile for protection of the server
>
> Can I ask what's so special about APOP that it can't be stored in a
> similar fashion to /etc/passwd type things i.e. post-crypto?
i'm no expert, but as i understand it, the crypto in APOP is done on a
per-session basis. e.g. the server says "here's a one time key, encrypt
the password with this key", and then the server encrypts its copy of the
password with that same key and compares the result with what the client
sends back. obviously, to have any degree of security, the key used
needs to be changed each time[1], so the server has to have an unencrypted
version of the password to encrypt with each new key.
i guess you wouldn't actually have to store the passwords in a plain text
file on that same machine, but the server would at least have to be able
to obtain the cleartext password in real-time, which has pretty much the
same security implications.
[1] otherwise someone can connect up and just send the encrypted version
of the password that they've captured...
--
michael
John Underwood
(Reference: <bs819cBT...@highwayman.com>)
>it significantly changes the risk profile for protection of the server
You don't realise how glad I am to hear that.
You are concerned that POP3 passwords may be compromised so instead of
authentication, we have to send them in plain text. Now you really have
confirmed my worst fears. For whose benefit it that neat bit of odd
logic.
I said
>> After all, it would only be used for POP3,
>>not for login, and it could be deposited securely,
>
>an interesting concept of itself
>
Why? I am merely suggesting that one possibility would be that changing
the password could be restricted to a secure connection such as that
from a direct dial up.
>> within a local
>>dial-up.
>
>this doesn't sound right... it would have to be in a database that the
>POP3 server had access to
So how does the server communicate with the database going outside the
Demon network. If that is a problem, Demon's insecurity is far worse
than I thought.
John Underwood
(Reference: <a6odat$g309e$1...@ID-106624.news.dfncis.de>)
>i guess you wouldn't actually have to store the passwords in a plain
>text file on that same machine, but the server would at least have to
>be able to obtain the cleartext password in real-time, which has pretty
>much the same security implications.
At what stage in that does the password get sent outside the ISP's
network in plain form? If it is it has the same security implications,
if it doesn't get sent in that way then there are no security
implications - or rather the security implications are the same as for
the dial-up password.
James Coupe
<ab...@the-underwoods.org.uk> writes:
>>Anyone who had the POP3 password for doing this via web-mail could do
>>it anyway, by just telnetting to pop3.demon.co.uk and issuing DELE
>>commands.
>
>A good point and, as I went on to point out, this was part of my threat
>analysis, and not considered to require the level of defence that is
>now required.
>
>I don't give a damn if anyone thinks I am wrong.
For the record, I'm taking part in a discussion where the issues (in
general) are moderately complex, thought they may be clear cut for the
individual case.
>My estimate of the situation is that the cost to me of having
>unavoidable web-mail sending is unacceptable.
One possible option (a SMOP) for implementation would be, using a *dial-
up* password on secure web.password, turn off the ability to compose
mail.
Would this help?
James Coupe
<michae...@michaellefevre.com> writes:
>i'm no expert, but as i understand it, the crypto in APOP is done on a
>per-session basis. e.g. the server says "here's a one time key, encrypt
>the password with this key", and then the server encrypts its copy of the
>password with that same key and compares the result with what the client
>sends back. obviously, to have any degree of security, the key used
>needs to be changed each time[1], so the server has to have an unencrypted
>version of the password to encrypt with each new key.
If this *is* the case, would it be possible to implement it, instead,
as:
Client: I want to sign in.
Server: Here, encrypt it with this *public* key.
Client: Okay. Here you go.
Server: Received.
Unencrypts.
Re-encrypts using the security for the database. (e.g. a
/etc/passwd crypt style function, or whatever)
Asks the database.
Verify.
Return Pass/Fail.
Client: I passed? Hurrah / I failed? Boo.
Or is a public/private key system totally incompatible with APOP as it
stands now? Is there any way that an APOP client could be given a
public key system under the current protocol, without breaking?
Julian Barker
Brian {Hamilton Kelly} <b...@dsl.co.uk> wrote
>Why on earth
>did none of the "Testers Group" see the yawning security hole; were they
>all so enamoured of the prospect of being able to send mail through the
>interface that they were blind to any security limitations?
Has it occurred to you that some of the people discussing this topic
here may be Demon testers?
--
Julian Barker
There is a coherent plan in the universe,
though I don't know what it is a plan for.
- Sir Fred Hoyle 1915-2001
michael lefevre
> On Wed, 13 Mar 2002 at 20:37:50, michael lefevre wrote in demon.service
> (Reference: <a6odat$g309e$1...@ID-106624.news.dfncis.de>)
>
>>i guess you wouldn't actually have to store the passwords in a plain
>>text file on that same machine, but the server would at least have to
>>be able to obtain the cleartext password in real-time, which has pretty
>>much the same security implications.
>
> At what stage in that does the password get sent outside the ISP's
> network in plain form?
it isn't at any stage, that's the point of it. the issue that Richard
mentioned is that the passwords have to be stored on Demon's POP3 server
in cleartext. storing cleartext passwords is unusual (for obvious
reasons), storing them like that on an internet-facing server would
generally considered completely stupid.
> If it is it has the same security implications,
> if it doesn't get sent in that way then there are no security
> implications - or rather the security implications are the same as for
> the dial-up password.
not what i meant. i meant the security implications of having the server
handling the cleartext password, but storing it locally in encrypted
form, are similar to the implications of simply storing the password on
the server unencrypted.
one would generally expect servers directly connected to the internet not
to have files with cleartext passwords stored on them. a security breach
would then mean that the cracker could collect the POP3 password of every
Demon user. i would have thought the risk of that is relatively low as
compared to the risk of a POP3 password being sniffed or otherwise
obtained on some other network, but of course the consequences are
more serious (all users rather than just one user at a time).
i'm hoping someone will jump in and correct me if i'm talking rubbish
here - i'm no network security expert...
--
michael
michael lefevre
> In message <a6odat$g309e$1...@ID-106624.news.dfncis.de>, michael lefevre
> <michae...@michaellefevre.com> writes:
>>i'm no expert, but as i understand it, the crypto in APOP is done on a
>>per-session basis. e.g. the server says "here's a one time key, encrypt
>>the password with this key", and then the server encrypts its copy of the
>>password with that same key and compares the result with what the client
>>sends back. obviously, to have any degree of security, the key used
>>needs to be changed each time[1], so the server has to have an unencrypted
>>version of the password to encrypt with each new key.
>
> If this *is* the case, would it be possible to implement it, instead,
> as:
>
> Client: I want to sign in.
this isn't part of the protocol - the client indicates they want to talk
just by opening a connection.
> Server: Here, encrypt it with this *public* key.
that's what happens (APOP capable servers put the key in the greeting,
non-APOP clients can simply ignore it)
> Client: Okay. Here you go.
fine
> Server: Received.
> Unencrypts.
this is the problem. the method used is a one-way hash - there's no way
of unencrypting. (at least i think that's right!)
[snip]
> Or is a public/private key system totally incompatible with APOP as it
> stands now? Is there any way that an APOP client could be given a
> public key system under the current protocol, without breaking?
yes it is and no there isn't. the method used is part of the APOP
protocol.
having just looked it up, it appears that RFC 1734 offers a standard for
using reasonable authentication with POP3 (it basically says "use this
command, and then work the same as IMAP authentication). however, i'm
not aware of any clients that support that with POP3 (although most
support it with IMAP). on the subject of clients, APOP isn't widely
supported by them either...
--
michael
John Underwood
(Reference: <kQu9v5lI...@gratiano.zephyr.org.uk>)
>Would this help?
It would completely remove the problem that I see.
You will have to speculate, pointlessly, whether the suggestion had been
made by testers and what, if any, was the reaction to it.
James Coupe
<michae...@michaellefevre.com> writes:
>> Client: I want to sign in.
>
>this isn't part of the protocol - the client indicates they want to talk
>just by opening a connection.
I was assuming some form of EHLO, USER or similar, based on POP3/SMTP.
>> Server: Received.
>> Unencrypts.
>
>this is the problem. the method used is a one-way hash - there's no way
>of unencrypting. (at least i think that's right!)
Well, all one-way hashes are potentially unencryptable with sufficient
computing power. This can even stretch to trying to simulate the most
likely values of random seeds, too. This is getting into very far-
fetched realms for most Demon dialups, however.
michael lefevre
> In message <a6ons3$g0mm6$1...@ID-106624.news.dfncis.de>, michael lefevre
> <michae...@michaellefevre.com> writes:
>>> Client: I want to sign in.
>>
>>this isn't part of the protocol - the client indicates they want to talk
>>just by opening a connection.
>
> I was assuming some form of EHLO, USER or similar, based on POP3/SMTP.
this _is_ POP3. rather than having the POP3 client give an initial
command that says "hi, i want to use APOP", the server simply includes
the key in the greeting, so the first command the client gives is the
equivalent of "USER", except that it's encrypted (with the key)
>>this is the problem. the method used is a one-way hash - there's no way
>>of unencrypting. (at least i think that's right!)
>
> Well, all one-way hashes are potentially unencryptable with sufficient
> computing power. This can even stretch to trying to simulate the most
> likely values of random seeds, too.
well yes, but if the server had to decrypt the password by that kind of
brute force every time someone made a POP3 connection, i fear it wouldn't
perform too well :)
> This is getting into very far-
> fetched realms for most Demon dialups, however.
indeed. basically the sensible way of doing it is with the POP3 AUTH that
i looked up... however, there's no support for that in most clients, or
servers. it would make more sense to move to IMAP, or do POP3 over SSL.
either of those is still rather a big jump.
--
michael
Denis Mcmahon
>This has been stated and repeated so often by Demon staff and users with
>no contradiction that it is unlikely to be false. It is an inherent
>feature of POP3 and has always, in my experience, been given by Demon as
>the reason they insist on a different password for POP3 if you access it
>from anything other than your dial-up.
Right, so the way to prevent your nightmare scenario is simply to set
a long complicated pop3 password whilst dialled into demon and then
not to use pop3 or webmail at all.
Sorted. Next?
Demon have implemented what will be seen by many as an enhancement,
and in many cases an often requested enhancement, to the webmail
service. That you see it as a not enhancement is a case that you and
others will have to argue about in court, I will happily state for the
record that as a customer I see it as an enhancement, albeit one that
increases the requirement that the user be aware of certain issues and
handle their password in an appropriate manner. The risk of having
your email forged is no greater under the new system than the risk of
having your email deleted was under the old one, although of course
the possibility of forging sent email may make the new system more
attractive to attack by the spammerati[1].
Rgds
Denis
[1] I think I just made this up[2], and I think it's a good word for
spamming rats!
[2] Google shows 3 hits in 1997, so I can't claim it as my own! Damn!
--
Denis McMahon / +44 7802 468949 / de...@pickaxe.demon.co.uk
Top-posters, posters of adverts & binaries are scum. Killfile!
Block [a.b.*.*] of any UC/BE relay. Posts > 100 lines ignored.
sulfnbk is not a virus, see the symantec virus encyclopaedia!
Clive D. W. Feather
<ab...@the-underwoods.org.uk> writes
>Why should one customer's needs be denied in order to provide something
>for some others - not all by any means.
"The needs of the many outweigh the needs of the few, or the one."
[ObRant: that was a crap film.]
I don't believe that your threat model constitutes a "feature" that
Demon have advertised or committed to retaining. Nevertheless, I am sure
that the issue is being considered.
>How many customers does Demon expect to gain by this step? How many
>will it actually lose? They may gain a customer or more, but it is
>looking increasingly as if they will certainly lose at least one.
This is, of course, a commercial issue.
>A little less intransigence might have helped.
I fail to see the intransigence; I don't believe there's been an
official comment on the topic.
>Remember Demon, I pay you, the relationship is not the other way round
>and can easily be terminated.
True. Equally, if a feature cost more than 240 pounds [number picked to
match a 5% discount rate] to add, is it worth it to retain just one
customer ?
--
Clive D.W. Feather, writing for himself | Home: <cl...@davros.org>
Tel: +44 20 8371 1138 (work) | Web: <http://www.davros.org>
Fax: +44 870 051 9937 (NOTE CHANGE) | Work: <cl...@demon.net>
Written on my laptop; please observe the Reply-To address
Clive D. W. Feather
<ab...@the-underwoods.org.uk> writes
>>The other way of sending passwords to a POP3 server is APOP. However,
>>this requires the server operator to keep your plaintext password;
>>something that Demon doesn't do.
>
>I have long wondered why not? After all, it would only be used for
>POP3, not for login, and it could be deposited securely, within a local
>dial-up.
However, it means that there is a big master file of valid passwords
accessible from a number of machines. That makes *all* of those machines
a target. This is a judgement call, I agree, but it's one that Demon has
to make, not you. I also think it goes against past commitments made by
Demon.
The present system doesn't store any password in a form that could be
useful to an attacker.
Clive D. W. Feather
<ab...@the-underwoods.org.uk> writes
>>Or they could delete it before you saw it.
>
>As you point that out, I would suggest that web mail has always been
>defective in that it allowed that to happen and, therefore, it should
>always have been possible to disable it for any form of access.
Since DELE is a basic part of the POP3 specification, and since reading
email usually includes removing it from the transit server, that seems
less than essential to me. Put it another way, I've *never* heard of
that being requested.
>>You may not have completely thought through your threat model.
>True, but I would still put that threat a long way below the ability to
>send mail
If so, then I think you have an, um, unusual threat model.
And I believe that many of your messages in this thread can be
summarised as "I don't care about losing mail, but I don't want anyone
to pretend to be me and Demon haven't considered my case important
enough to do something about".
Graham McDermott
<michae...@michaellefevre.com> writes
> the issue that Richard
>mentioned is that the passwords have to be stored on Demon's POP3 server
>in cleartext.
Sorry, but to pick up on that one point - why do they have to be stored
in cleartext?
I'm most deifinitely no expert on encryption and security but why cant
they be stored in some unidirectional mangled format? Apply mangling to
entered password and compare mangled forms?
--
GMcD
Dr S N Henson
train.demon.co.uk says...> <ja...@zephyr.org.uk> writes
> >>>>The other way of sending passwords to a POP3 server is APOP. However,
> >>>>this requires the server operator to keep your plaintext password;
> >>>>something that Demon doesn't do.
>
> >similar fashion to /etc/passwd type things i.e. post-crypto?
>
> (including, IIRC, the date and time), and encrypting the lot. Both ends
> do this separately and the server compares the client's version with its
> own.
>
<Digs out spec>
Its actually MD5(banner_id||password) where banner_id is part of the
initial connection banner greeting and should be different each time to
thwart dictionary attacks.
This does indeed need access to the plain text password. If it had been
done differently, even MD5(password||banner_id) this wouldn't have been
the case though something more sophisticated would be preferable.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: she...@drh-consultancy.demon.co.uk
Senior crypto engineer, Gemplus: http://www.gemplus.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: stephen...@gemplus.com PGP key: via homepage.
Clive D. W. Feather
>>>>The other way of sending passwords to a POP3 server is APOP. However,
>>>>this requires the server operator to keep your plaintext password;
>>>>something that Demon doesn't do.
>Can I ask what's so special about APOP that it can't be stored in a
>similar fashion to /etc/passwd type things i.e. post-crypto?
APOP basically works by taking your password, adding some text to it
(including, IIRC, the date and time), and encrypting the lot. Both ends
do this separately and the server compares the client's version with its
own.
This requires the server to have access to the true password.
Clive D. W. Feather
<ab...@the-underwoods.org.uk> writes
>At what stage in that does the password get sent outside the ISP's
>network in plain form? If it is it has the same security implications,
>if it doesn't get sent in that way then there are no security
>implications - or rather the security implications are the same as for
>the dial-up password.
Not true. The dial-up password has to be intercepted actively; it's not
stored at the ISP in a useable form [*]. An APOP password would have to
be stored in plaintext or using a trivially reversible encryption.
[*] Yes, I'm aware that there are dictionary attacks. But a sensible
password can't be broken that way.
Dr S N Henson
stephen...@gemplus.com says...
> In article <y4h$o$AmB+j...@highwayman.com>, ric...@highwayman.com
> says...
> > In article <MPG.16f9eae81...@news.demon.co.uk>, Dr S N Henson
> > <stephen...@gemplus.com> writes
> >
> > >Its actually MD5(banner_id||password) where banner_id is part of the
> > >initial connection banner greeting and should be different each time to
> > >thwart dictionary attacks.
> > >
> > >This does indeed need access to the plain text password. If it had been
> > >done differently, even MD5(password||banner_id) this wouldn't have been
> > >the case
> >
> >
>
> I was thinking in terms of storing the MD5 context instead of the plain
> text password. That can be done if its MD5(password||banner_id) possibly
> with some fiddling but the standard alas requires
> MD5(banner_id||password).
>
Which of course wouldn't stop an attacker being able to steal the digest
context from storage and answer the challenge... Argh!!
Stuart Millington
<cl...@on-the-train.demon.co.uk> wrote:
>The other way of sending passwords to a POP3 server is APOP. However,
>this requires the server operator to keep your plaintext password;
>something that Demon doesn't do.
I'm probably being thick here! But, I assume this is different to
the TCP->Stunnel discussed here?:
http://www.mandrakeuser.org/docs/secure/spop.html
This does not appear to require Demon to hold plain-text passwords,
just a cert for the SSL. Of course I'm missing some reason why this -
or similar methods - won't work, are insecure or are commercially
unviable - or aren't I?
Richard Clayton
<gra...@bankieboy.demon.coNOSPAM.uk> writes
>In article <a6omr8$frfgt$1...@ID-106624.news.dfncis.de>, michael lefevre
><michae...@michaellefevre.com> writes
>> the issue that Richard
>>mentioned is that the passwords have to be stored on Demon's POP3 server
>>in cleartext.
>
>Sorry, but to pick up on that one point - why do they have to be stored
>in cleartext?
because to use APOP there has to be a shared secret
>I'm most deifinitely no expert on encryption and security but why cant
>they be stored in some unidirectional mangled format?
that's the way they are now ... but it requires you to present the
plaintext form so that the server can do the mangling and compare the
values
if the far end did the mangling and that was accepted then the mangled
forms effectively become cleartext passwords ((remember you've only got
the remote end's word for it that they actually did the mangling, they
might present the value directly))
>Apply mangling to
>entered password and compare mangled forms?
see above ... this works fine within an encrypted tunnel -- but most
people don't have the ability to do SSL tunnels for their POP3 traffic
and even if they did, the server would need to be a little bit beefier
to deal with the overhead!
Dr S N Henson
says...
> In article <MPG.16f9eae81...@news.demon.co.uk>, Dr S N Henson
> <stephen...@gemplus.com> writes
>
> >initial connection banner greeting and should be different each time to
> >thwart dictionary attacks.
> >
> >This does indeed need access to the plain text password. If it had been
> >done differently, even MD5(password||banner_id) this wouldn't have been
> >the case
>
>
I was thinking in terms of storing the MD5 context instead of the plain
text password. That can be done if its MD5(password||banner_id) possibly
with some fiddling but the standard alas requires
MD5(banner_id||password).
Steve.
Richard Clayton
<ric...@highwayman.com> writes
>Alternative schemes depend on tokens that only the valid user has
>(either a physical token that can be challenged, or a signed certificate
>whose authenticity can be checked or that the bad guys cannot forge).
/or that/and that/ ! of course !
Richard Clayton
>Its actually MD5(banner_id||password) where banner_id is part of the
>initial connection banner greeting and should be different each time to
>thwart dictionary attacks.
>
>This does indeed need access to the plain text password. If it had been
>done differently, even MD5(password||banner_id) this wouldn't have been
>the case
You'd better explain that more clearly - because I don't think it's true
APOP is at heart a shared secret scheme. You authenticate a user because
they demonstrate knowledge of the secret. Because of the way it works,
the secret does not travel over the link in cleartext, but it must be
stored securely at each end.
One can store an encrypted version of the shared secret but you must
either decrypt it before use (which means you must protect the
decryption key) -- or you use the encrypted form - which makes it in
itself the sensitive info you must protect. Recursing round by
encrypting again doesn't get you anywhere. A shared secret means that
the server must have a secret!
Alternative schemes depend on tokens that only the valid user has
(either a physical token that can be challenged, or a signed certificate
whose authenticity can be checked or that the bad guys cannot forge).
However, not many clients have these ((and indeed not all that many can
manage APOP)).
>though something more sophisticated would be preferable.
I don't think Demon wishes to get into the PKI business just to allow
people to read email in cybercafes
If the real threat model was sniffers (and I really don't think that it
is, there's much easier ways of getting passwords from a cybercafe) then
SSL connections would be relevant.
Demon staff use physical tokens to secure SSL tunnels. They aren't in
the least bit cheap!
Richard Clayton
<ab...@the-underwoods.org.uk> writes
>On Wed, 13 Mar 2002 at 14:44:19,
actually I didn't .. that was the time where I am - not where you are
>Richard Clayton wrote in demon.service
>(Reference: <bs819cBT...@highwayman.com>)
>
>
>>it significantly changes the risk profile for protection of the server
>
>You don't realise how glad I am to hear that.
>
>You are concerned that POP3 passwords may be compromised
Demon is concerned that all passwords may be compromised. That's why
they are treated the way that they are.
>so instead of
>authentication, we have to send them in plain text. Now you really have
>confirmed my worst fears. For whose benefit it that neat bit of odd
>logic.
Demon's users
>I said
>>> After all, it would only be used for POP3,
>>>not for login, and it could be deposited securely,
>>
>>an interesting concept of itself
>>
>Why?
I don't think it is especially easy to store hundreds of thousands of
keys in a secure manner in an ISP environment. That's why Demon has
never done this - but has stored the keys after they have been pushed
through a 1-way function
Naturally Demon tries very hard to ensure security, but there is no such
thing as absolute security - so the systems design does not rely upon it
>I am merely suggesting that one possibility would be that changing
>the password could be restricted to a secure connection such as that
>from a direct dial up.
That's a trade-off between security and function. Such trade-offs are
made all the time.
>>> within a local
>>>dial-up.
>>
>>this doesn't sound right... it would have to be in a database that the
>>POP3 server had access to
>
>So how does the server communicate with the database going outside the
>Demon network.
It doesn't. Authentication is done by taking the incoming secret,
pushing it through a 1-way function and determining if there is a match
with the value stored on the server.
In the unlikely event of the value being stolen there would not be a
practical way of recovering all the secrets (though of course the people
with weak passwords might be compromised - hence all the advice to set a
strong, hard to guess, password).
--
richard richard.clayton @ h i g h w a y m a n . com
"Assembly of Japanese bicycle require great peace of mind" quoted in ZAMM