|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: netscape POP3 passwd and mails prefs
From: Robert Sherman (rsher02
EMORY.EDU)Date: Wed Apr 19 2000 - 09:29:02 CDT
- Next message: Alexandre Da Fonseca: "Re: netscape POP3 passwd and mails prefs"
- Previous message: Simon: "netscape POP3 passwd and mails prefs"
- In reply to: Simon: "netscape POP3 passwd and mails prefs"
- Next in thread: Alexandre Da Fonseca: "Re: netscape POP3 passwd and mails prefs"
- Reply: Robert Sherman: "Re: netscape POP3 passwd and mails prefs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
i know it does appear in 4.5 on Windows...but it only appears if the user
chooses "remember my password" in the mail server prefs...the other stuff is
pretty trivial...use imap if you have the choice (or use pop3 and leave a
copy on the server)...then you can wipe out the local folders every once in
a while if you are feeling paranoid...
not being a crypto expert, i have no idea how they encrypt the
password...but then, if you choose, "remember password" in any situation,
you are asking for trouble...(not that it will stop your users from doing
it).
-rob
Simon wrote:
> Ok, I just wanted to point out a few stuff that probably everybody knows
> already, but which are of importance, so in case you didn't know, it
> might be of great help.
>
> I browsed the netscape preferences for my user and discovered a few
> interesting files, first of all
>
> liprefs.js
>
> ok, so, it's basically every preference for your user, anything, from
> background color to all the mime types. Anyway, let's get to the
> interesting security things, ok, so, I hope you are aware that your mail
> login is in cleartext look at this property :
>
> ("mail.pop_name", "myloginstandshere")
>
> just after that, whe got
>
> "mail.pop_password", "IKyLOqrMOTE=")
>
> which is your password, ENCODED, ouch, I feared the worst.
> Anyway, I just believe that having the login in clear is a real treat,
> and even if I don't know what encrypt. they use or how to decrypt it, I
> would be very interested if anybody knows how to decrypt this.
>
> One beer for the one who tell me my password.
>
> Ok, let's move to the even worse thing : In your user prefs, there's a
> mail folder, and in it, there's a text file for every mailfolder you
> created in netscape (inbox, sent....) well, let me tell you that, for
> some reason, netscape doesn't erase the mails, my file inbox file was
> 80megs big for only 20 msg in it, huhuh, I opened it, and, after a long
> wait (try to open a 80 meg text file on a 133mhz !) I discovered all the
> mails I had received for years, they were in clear text.
>
> Ok, now, could it be true that netscape engineers are weenies ?
>
> Sim
>
> PS tests made on mac, but win 9x is very probably the same. netscape
> 4.7, netscape 4.x is probably the same. Sorry but I had no windoze
> around this place.
>
> _____________________________________________________________________
> ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
- Next message: Alexandre Da Fonseca: "Re: netscape POP3 passwd and mails prefs"
- Previous message: Simon: "netscape POP3 passwd and mails prefs"
- In reply to: Simon: "netscape POP3 passwd and mails prefs"
- Next in thread: Alexandre Da Fonseca: "Re: netscape POP3 passwd and mails prefs"
- Reply: Robert Sherman: "Re: netscape POP3 passwd and mails prefs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]