Cocoa mail archive
Re: Anybody using Pantomime or mail-core framework?
FROM : Matt Burnett
DATE : Wed May 14 02:40:06 2008
Now your talking about hackers instead of spammers. It is hard to
sniff a HTTP session, you have to penetrate your victim's network
enough to be able to do so. I really doubt a spammer would spend all
the time it would take to penetrate your network, parse though gigs of
http session dumps, just to be able to spam from one account or
server. Even if they did go though all this trouble, most email
accounts have quotas to prevent people from spamming with them.
And there are tons of SMTP servers which are configured to allow
plaintext authentication. You would also be surprised at the amount of
enterprise class software which store shared secrets in their
configuration files; look at Symantec's Altiris suite.
On May 13, 2008, at 6:45 PM, Jens Alfke wrote:
>
> On 13 May '08, at 4:35 PM, Matt Burnett wrote:
>
>> Its not hard to enable HTTP authentication.
>
> It's also not hard to eavesdrop on the HTTP session using tcpdump,
> or to debug or disassemble the app to recover the password.
> In other words, putting a shared secret into an application
> distributed to end-users is not secure.
>
> Probably not a realistic fear in this particular case, but there are
> many, many instances of web scripts like this being abused to send
> spam, so I don't think I'm being overly paranoid :)
>
> —Jens
DATE : Wed May 14 02:40:06 2008
Now your talking about hackers instead of spammers. It is hard to
sniff a HTTP session, you have to penetrate your victim's network
enough to be able to do so. I really doubt a spammer would spend all
the time it would take to penetrate your network, parse though gigs of
http session dumps, just to be able to spam from one account or
server. Even if they did go though all this trouble, most email
accounts have quotas to prevent people from spamming with them.
And there are tons of SMTP servers which are configured to allow
plaintext authentication. You would also be surprised at the amount of
enterprise class software which store shared secrets in their
configuration files; look at Symantec's Altiris suite.
On May 13, 2008, at 6:45 PM, Jens Alfke wrote:
>
> On 13 May '08, at 4:35 PM, Matt Burnett wrote:
>
>> Its not hard to enable HTTP authentication.
>
> It's also not hard to eavesdrop on the HTTP session using tcpdump,
> or to debug or disassemble the app to recover the password.
> In other words, putting a shared secret into an application
> distributed to end-users is not secure.
>
> Probably not a realistic fear in this particular case, but there are
> many, many instances of web scripts like this being abused to send
> spam, so I don't think I'm being overly paranoid :)
>
> —Jens
| Related mails | Author | Date |
|---|---|---|
| Anybody using Pantomime or mail-core framework? |
vinitha | May 12, 13:25 |
| Re: Anybody using Pantomime or mail-core framework? |
Omar Qazi | May 13, 07:57 |
| Re: Anybody using Pantomime or mail-core framework? |
Jens Alfke | May 13, 08:07 |
| Re: Anybody using Pantomime or mail-core framework? |
Omar Qazi | May 13, 08:16 |
| Re: Anybody using Pantomime or mail-core framework? |
Matt Burnett | May 14, 01:35 |
| Re: Anybody using Pantomime or mail-core framework? |
Jens Alfke | May 14, 01:45 |
| Re: Anybody using Pantomime or mail-core framework? |
Matt Burnett | May 14, 02:40 |
| Re: Anybody using Pantomime or mail-core framework? |
Jens Alfke | May 14, 02:48 |
| Re: Anybody using Pantomime or mail-core framework? |
Andrew Farmer | May 15, 23:17 |
