From 34c9bfa23846b5140f9e769b4b45d107117e9a30 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Fri, 6 Apr 2007 19:46:17 +0000 Subject: Reword. svn path=/branches/BRANCH_6-3/; revision=5087 --- fetchmail-SA-2007-01.txt | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/fetchmail-SA-2007-01.txt b/fetchmail-SA-2007-01.txt index 7c224f93..19bb91c9 100644 --- a/fetchmail-SA-2007-01.txt +++ b/fetchmail-SA-2007-01.txt @@ -1,6 +1,6 @@ fetchmail-SA-2007-01: APOP considered insecure -Topics: The POP3/APOP authentication, by itself, is considered broken. +Topics: APOP authentication insecure, fetchmail implementation lax Author: Matthias Andree Version: 1.0 @@ -44,9 +44,13 @@ control) files for fetchmail. The POP3 standard, currently RFC-1939, has specified an optional, MD5-based authentication scheme called "APOP". -Fetchmail's POP3 client implementation however has happily accepted -random garbage as a POP3 server's APOP challenge, rather than insisting -that the APOP challenge conformed to RFC-822, as required by RFC-1939. +APOP should no longer be considered secure. + +Additionally, fetchmail's POP3 client implementation has been validating +the APOP challenge too lightly and accepted random garbage as a POP3 +server's APOP challenge, rather than insisting that the APOP challenge +conformed to RFC-822, as required by RFC-1939. + This made it easier than necessary for man-in-the-middle attackers to retrieve by several probing and guessing the first three characters of the APOP secret, bringing brute forcing the remaining characters well -- cgit v1.2.3