In my earlier post I mentioned how the POP3 servers I use do not support the APOP or AUTH command. Why is that so? Here's one thought: APOP and AUTH CRAM-MD5 require the server to compute an MD5 hash. I'm guessing that the ISPs have optimized the POP3 servers to handle login requests. It's common for users with always-on connections to poll the POP3 server frequently to check for new mail. If a large percentage of the server's processing time is spent handling login requests, rather than actually transferring messages, then it makes sense that they would do this. And I could easily imagine that a login that requires computing an MD5 hash could be an order of magnitude more expensive than a simple password lookup. This seems to be a reasonable explanation.
Having said that, though, sending passwords in the clear is never a good idea. And in the case of POP3, the vulnerability goes beyond just reading someone's mail. Two of the ISPs that I use also support authenticated SMTP. The authentication is through POP3. That means you must log in first to the POP3 server, and then for a limited period of time, the SMTP server will relay messages that originate from the same IP address. Therefore, if someone were to discover the POP3 user name and password, they could use the SMTP server as though it were an open relay. I would guess that there are many POP3 accounts where the user name and password are not that difficult to guess, so sniffing might not even be necessary.
Posted by Doug Sauder at November 15, 2003 09:49 AM