I was going through the protocols that are used in email applications (specifically POP and APOP) and I happened to come across this answer somewhere. It says
Short for Authenticated Post Office Protocol, it is similar to the POP protocol except that APOP enables your password to be encrypted while being transmitted over the network. Using POP mail, when you authenticate your username and password in your e-mail client, your password is sent over the network in plain text. If your e-mail client uses APOP, then the password is encrypted while being transmitted. APOP prevents hackers from seeing your password information with sniffer programs.
My question is :Is that the major difference between APOP and POP? Is the password not encrypted when POP protocol is used? If not, will it not cause security concerns?
APOP is just new a command added to the standard POP3, which does not transfer the password in plain (e.g. with USER and PASS commands) but digest based. Later better authorization was added with the AUTH command, similar to how it is done with SMTP and IMAP. All these ways to not use encrypted passwords, but at most hashed passwords which often required the POP3 server to know the cleartext password to verify the send password.
Better is to use POP3 with TLS, e.g. either starting with a TLS connection (POP3s) or upgrading an existing connection with the STARTTLS command before doing the authentication.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With