fetchmail-SA-2007-01: APOP considered insecure
-Topics: The POP3/APOP authentication, by itself, is considered broken.
+Topics: APOP authentication insecure, fetchmail implementation lax
Author: Matthias Andree
Version: 1.0
The POP3 standard, currently RFC-1939, has specified an optional,
MD5-based authentication scheme called "APOP".
-Fetchmail's POP3 client implementation however has happily accepted
-random garbage as a POP3 server's APOP challenge, rather than insisting
-that the APOP challenge conformed to RFC-822, as required by RFC-1939.
+APOP should no longer be considered secure.
+
+Additionally, fetchmail's POP3 client implementation has been validating
+the APOP challenge too lightly and accepted random garbage as a POP3
+server's APOP challenge, rather than insisting that the APOP challenge
+conformed to RFC-822, as required by RFC-1939.
+
This made it easier than necessary for man-in-the-middle attackers to
retrieve by several probing and guessing the first three characters of
the APOP secret, bringing brute forcing the remaining characters well