Secure POP client options?
March 24, 2004 4:30 PM Subscribe
I've been reading my mail on the server for a long time, but I'm starting to provide hosting for people here, and some of them want to read their mail through a regular old POP client. Is there a secure way to provide this service? [more]
I try to keep up with the usual security measures - using firewalls/router rules, only allowing secure services like ssh and sftp over open lines, removing unnecessary services, and so on. But, this security comes at a price, and as more "average users" come into the fold, it's harder for me to justify the extra hassle for them to maintain the lockdown. I know that vanilla POP3 sends user passwords in plain text over the wire, but I'm not finding any compelling alternatives that wouldn't be a pain for a non-tech person to use. Anyone know of an easy way for someone who uses something like Eudora or Outlook or Thunderbird to get their mail from a remote server, without compromising the security of their account?
I try to keep up with the usual security measures - using firewalls/router rules, only allowing secure services like ssh and sftp over open lines, removing unnecessary services, and so on. But, this security comes at a price, and as more "average users" come into the fold, it's harder for me to justify the extra hassle for them to maintain the lockdown. I know that vanilla POP3 sends user passwords in plain text over the wire, but I'm not finding any compelling alternatives that wouldn't be a pain for a non-tech person to use. Anyone know of an easy way for someone who uses something like Eudora or Outlook or Thunderbird to get their mail from a remote server, without compromising the security of their account?
Response by poster: I've been looking at POP over SSL, but that sort of falls into the "hassle for the average user" category. The reports that I'm seeing seem to indicate that if you don't shell out for an official certificate, the user is going to get an annoying message about it every time they check their mail. Is that accurate at all?
posted by majcher at 5:33 PM on March 24, 2004
posted by majcher at 5:33 PM on March 24, 2004
Yes, they will get the annoying message, but, at least Thunderbird, allows you to permantly trust the certificate/signing CA so they won't be bothered again.
posted by thebabelfish at 5:50 PM on March 24, 2004
posted by thebabelfish at 5:50 PM on March 24, 2004
Err, "... but most mail clients, at least Thunderbird, allow you ..."
posted by thebabelfish at 5:51 PM on March 24, 2004
posted by thebabelfish at 5:51 PM on March 24, 2004
I'm pretty sure you can dodge the annoying certificate message with Outlook, but it means installing a parent certificate into Windows, which is also a pain and not really something an average user should do much of. And besides, you shouldn't run Outlook anyway. </petpeeve>
posted by Zonker at 7:37 PM on March 24, 2004
posted by Zonker at 7:37 PM on March 24, 2004
sorry if stating the obvious, but... the annoying message is there for a reason. you're wide open to a man in the middle attack - anyone can make their own unofficial certificate, spoof you, accept their connection, and forward to you, reading the data in transit (in the clear). users are not going to check certificate hashes. of course, this raises the stakes significantly - the attacker has to do more than just snoop your traffic - so this solution might be good enough.
if you get the user to install your ca certificate then you're ok, but that in itself is not trivial.
you can set up pop over ssh which is secure after the first connection (or you get the certificate hash via some other route), but it's not the kind of thing all users can set up themselves (this is what i do).
sorry, don't know of a good solution (i don't use windows for mail).
i was going to suggest you provide them with some kind of webmail alternative, but again you need a certificate for https. :o(
posted by andrew cooke at 7:30 AM on March 25, 2004
if you get the user to install your ca certificate then you're ok, but that in itself is not trivial.
you can set up pop over ssh which is secure after the first connection (or you get the certificate hash via some other route), but it's not the kind of thing all users can set up themselves (this is what i do).
sorry, don't know of a good solution (i don't use windows for mail).
i was going to suggest you provide them with some kind of webmail alternative, but again you need a certificate for https. :o(
posted by andrew cooke at 7:30 AM on March 25, 2004
You can get a real affordable GeoTrust certificate here for $49. I bought one last year from them (it was only $25 then) and the process was pretty painless.
posted by fletchmuy at 9:54 AM on March 25, 2004
posted by fletchmuy at 9:54 AM on March 25, 2004
FYI, I would never use a host that didn't support POP or IMAP over SSL. Plaintext passwords are bad, bad, bad.
posted by eamondaly at 11:00 AM on March 25, 2004
posted by eamondaly at 11:00 AM on March 25, 2004
This thread is closed to new comments.
So yeah.
posted by xmutex at 4:38 PM on March 24, 2004