Plain text password login for email

Discussion in 'other security issues & news' started by Jo M, Nov 8, 2004.

Thread Status:
Not open for further replies.
  1. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Hi,

    I have just purchased the DiamondCS Action Pack plus Process Guard. :cool:
    GREAT SOFTWARE! :cool:

    I just tried out Socket Spy and plugged in process IDs of my Browser (Firefox), Email client (Thunderbird) and email filter Benign. Then I used them and observed what was going on. Really Really interesting! :cool:

    The discovery I made was to do with email logins. I just hadn't realised that the passwords were forwarded as plain text! But there I saw them! And if I could see them then so could quite a few? :ninja: :ninja: :ninja:

    I have just been onto my ISP and they tell me that they don't support secure logins as yet but encouraged me to make a written comment on their site. I'm going to do that!!

    What ISP's do support secure logins for email?

    Is there any way that pressure can be brought on them to do so?? I thought perhaps a "chain mail", but that would definitely be classed as Spam? On the other hand if someone did do that then it would definitely be "ethical spam"!

    I know that options for more secure email has been there in the software for some years now so why isn't it being used yet? o_O
     
    Last edited: Nov 10, 2004
  2. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    Dont suppose you want to post your IP Address.... no, OK.
     
  3. TheSnowman

    TheSnowman Guest

    JO M


    NEVER NEVER NEVER>>>NEVER post your IP address..NEVER!!!!!


    No one should need to ever request your address be posted publically.


    *********************************************************
     
  4. TheSnowman

    TheSnowman Guest

    JO M SAID:


    "On the other hand if someone did do that then it would definitely be "ethical spam"!"""""

    ******************



    Maybe the spamers that are on trial can use that as a defense.
     
  5. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    I'm not sure I'm understanding correctly what JoM's experiencing, could we back up a step or two?

    Does Jo mean the password appears onscreen while being entered as plain text rather than the more or less "standard" asterisks? Or that they're encrypted only onscreen but plain-text in all other respects?

    I use Eudora off my local ISP, and set it to "remember password" the first time I logged in, so I never see it (it's remembered by Eudora, rather than in the usual Win files) and haven't a clue how it's sent to the server.
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
    That seems to be the case for pop3. In the open.

    The most current version of the standard POP protocol is POP3.

    There are, however a variety of lesser-used POP protocol variants:

    APOP — POP3 with MDS authentication. An encoded hash of the user's password is sent from the email client to the server rather then sending an unencrypted password.

    KPOP — POP3 with Kerberos authentication.

    RPOP — POP3 with RPOP authentication. This uses a per-user ID, similar to a password, to authenticate POP requests. However, this ID is not encrypted, so RPOP is no more secure than standard POP.

    The above definitions came from Red Hat Linux manual.

    Red Hat
     
  7. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Hi MikeBCda,

    if you had Port Explorer you could get it to listen in to Eudora as it logs you into your ISP's email server. From the sound of what you say you would find that there is NO SECURITY over the passwords at all. Anybody with a packet sniffer has the capability to read and log your email passwords without even having to crack a code!

    I have known for some time that my Email Client Thunderbird (and even the former Outlook Express!) have a secure connection SSL setting or secure authentication setting or both. Since I can't use them I don't know which one it is!

    But I hadn't quite realised that the passwords were transmitted in PLAIN TEXT for all to see and that IT IS SO EASY TO SNIFF THE PACKETS.

    So yes, the illusion of safety when you see the ***'s is just an illusion. They are TRANSMITTED as "mydogbill" or whatever! I think it might be more honest of the email clients to skip the ****'s to make it clear that there is no encryption going on.

    Well the only benefit of the ***'s is to stop the wife seeing your email password as you type it in and reading all your emails from your Girl Friend! Just kidding!

    Regards Jo M
     
  8. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Hi Ronjor,

    thanks for the info. Which of those protocols corresponds to my email clients settings of
    "Secure connection (SSL)" or "Secure Authentication"?

    Do any ISP's use them yet?
     
  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
    Jo M

    I really don't know the isp info. I'm not sure how common it is in general use.

    Here is an interesting page you may want to see.

    Stay Invisible
     
  10. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Hi Jimbob and Snowman,

    I can't SEE where I have posted my IP address o_O

    If you can see it somehow then please tell me how and I'll definitely do something about it! I did copy and paste the post from elswhere on the Forum as requested by a moderator. I wondered if that had done something funny?? (The Icons certainly didn't copy) Well you're right it wouldn't be funny!!

    Regards Jo M

    PS. Perhaps when I said I put in the various "PROCESS ID's" you thought I meant my IP? No you got that wrong! Process ID refers to the number ID which your local operating system gives to the various programs and windows services that are running on your local computer.

    PPS. Or is it that you Jimbob are an opportunistic Hacker o_O
     
  11. TheSnowman

    TheSnowman Guest

    JO M


    No, you did not post your IP address........an I just wanted to warn you not to do so.

    ***************
     
  12. TheSnowman

    TheSnowman Guest

    JIMBOB said:


    **Dont suppose you want to post your IP Address.... no, OK.**



    ******************************************



    JO M


    the above post may have been nothing more than the poster mis-understanding.............of you posting this:


    _____________________________
    ***Is there any way that pressure can be brought on them to do so?? I thought perhaps a "chain mail", but that would definitely be classed as Spam? On the other hand >if someone did do that then it would definitely be "ethical spam"!<****

    ____________________________


    such mis-understanding do happen.......usually meaningless. In this case no harm done...since you did not post your IP address......
     
  13. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Thanks Ron. The site is interesting.

    Jo M
     
  14. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
    Your welcome Jo M. Your bringing up this topic is interesting as well.
    Most of us don't give it any thought.
    It's a good case for using a web based mail service that uses encryption.
     
  15. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    TheSnowman,

    to clear up the missunderstanding what I was suggesting was for people to start a chain of emails as follows. Each person taking the trouble to email 5 or 10 of their friends or colleagues with info about the lack of proper security in the currently used email protocols and urging their friends to do what I am going to do which is to contact my ISP directly and complain/urge them to implement more secure methods for our email. Then to contact 5 more friends or colleagues and do the same. Actually not technically Spam? Just "Chain Mail" or "Pyramid Mail" (but with no profit motive!) Some people might not welcome it? More fool them?

    Regards Jo M
     
  16. TheSnowman

    TheSnowman Guest

    JO M


    My last post was made BEFORE seeing this:


    https://www.wilderssecurity.com/showthread.php?t=53901




    so maybe I owe you an apology......you questioned wisely.

    * I understood the meaning of your post but thought perhaps "someone" else may have not.............not so sure now. But whatever the case.....no harm done.*

    also, my apology for all the off-topic posts......glad you found an answer with the help of Mike and Ron..........
     
  17. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Thanks The Snowman,

    that link was very interesting!

    Jo M
     
  18. Czerno

    Czerno Guest

    Hi Jo M!
    Quote :
    what I was suggesting was for people to start a chain of emails as follows. ...
    End quote.

    Just because you have just discovered the obvious does not mean you should add pain to injury by starting a mail chain of sorts !!!

    I would suggest you read and sudy and experiment with (Telnet your POP server!) and meditate over the relevant RFC (request for comments - the internet "standards", which you can find easily by Googlin for RFC) rather than trying to start that nonsense ;-)

    Sorry if it seems too harsh, I really mean what I just wrote.
    Plus, if I may add a hint, the solution to your perceived problem is well known : ask your internet provider if they offer /secured/ POP or IMAP access, and if they don't, change providers (or suffer ... silently).

    Cheers

    --
    Czerno
     
  19. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Hi Czerno,

    I have asked my ISP already. They don't. THEY suggested making it more official with a written request on their web site, which I HAVE DONE.

    For my own reasons I don't wish to change ISP right now. So I may have to do the suffering in silence that you suggest? Well no! I may be English. The English may normally "suffer in silence" a lot but I don't see why I shouldn't complain!!

    My suggestion amounted to the assumption that one person will not be heard but IF other people also want more secure email then if a lot of requests/complaints could be made to the ISP's concerned then this would have more impact!!

    Nobody has yet given any names of ISP's that do encryption for the password for login. I am in the UK. Are there any?

    Could I humbly suggest that if you can't answer that last question with some simple names then you should be the one suffering my complaints/requests in silence!

    Regards Jo M
     
  20. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Hi Czerno,

    I would like to add that I have just looked up some of the RFC's on Secure email.

    Sorry your'e suggestion doesn't help me, an end user, in the slightest!!!
    It just seems aimed at saying you know more than me (which you may)
    and for me to shut up (which you are not entitled to!)

    Regards Jo M
     
  21. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Jimbob1989,

    I have removed your post as it is against our TOS. Please review our TOS and become familiar with it. We do not allow any derogatory personal remarks or attacks on this forum.

    Thank you for your cooperation.

    Edit: I have also removed your last post as it is off topic and has nothing to do with this thread. If you wish to start a thread concerning that topic, please post it in the appropriate forum.
     
    Last edited by a moderator: Nov 9, 2004
  22. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    encrypted web mail

    Hi Ronjor I was just reflecting on what you had said earlier (after several interuptions to this thread!) and I realised that what you said made a lot of sense. I havn't used a web based email service now for some time but I think I might just find out more:- whether the encryption they offer is a)just text, b) does the headers as well, c) does the password as well

    As far as I can see the password would be covered by the Browsers Security and the login page would show a padlock? Perhaps they don't have headers in quite the same way? I'll try to find out!

    Regards Jo M
     
  23. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
    Jo M

    When you log in here, everything is encrypted.

    safe-mail
     
  24. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Ronjor is Brilliant!

    Hi Ronjor,

    :D You're totally brilliant! A Star! :D

    Thanks for various info and that link Jo M
     
  25. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
    Jo M

    Thanks. Have fun.
     
Loading...
Thread Status:
Not open for further replies.