+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
fetchmail-SA-2007-01: APOP considered insecure
Topics: APOP authentication insecure, fetchmail implementation lax
Author: Matthias Andree
-Version: 1.0
+Version: 1.1
Announced: 2007-04-06
Type: password theft when under MITM attack
Impact: password disclosure possible
==================
2007-04-06 1.0 first release
+2008-04-24 1.1 add --ssl to section 3. suggestion A below
1. Background
A. Only use APOP on SSL or TLS secured connections with mandatory and thorough
certificate validation, such as fetchmail --sslproto tls1 --sslcertck
- or --sslproto ssl3 --sslcertck), or equivalent in the run control file.
+ or --ssl --sslproto ssl3 --sslcertck), or equivalent in the run control file.
B. Avoid APOP and use stronger authenticators.
A. Copyright, License and Warranty
==================================
-(C) Copyright 2007 by Matthias Andree, <matthias.andree@gmx.de>.
+(C) Copyright 2007, 2008 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.
-This work is licensed under the Creative Commons
-Attribution-NonCommercial-NoDerivs German License. To view a copy of
-this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
-or send a letter to Creative Commons; 559 Nathan Abbott Way;
-Stanford, California 94305; USA.
+This work is licensed under the
+Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
+
+To view a copy of this license, visit
+http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
+or send a letter to:
+
+Creative Commons
+444 Castro Street
+Suite 900
+MOUNTAIN VIEW, CALIFORNIA 94041
+USA
+
THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.
END OF fetchmail-SA-2007-01.txt
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZVn6wCgkC9pMA9HxXG6lgbgoixd73Tn
+Cz4AoKG+qB47vhGdXSTDDXDFgMDrMJ24
+=BKzz
+-----END PGP SIGNATURE-----