[tpop3d-discuss] New features ?

Chris Lightfoot chris at ex-parrot.com
Mon, 2 Dec 2002 20:14:12 +0000


On Mon, Dec 02, 2002 at 08:11:33PM +0000, Paul Makepeace wrote:
> On Mon, Dec 02, 2002 at 07:46:06PM +0000, Chris Lightfoot wrote:
> > On Mon, Dec 02, 2002 at 08:44:08PM +0100, Yann GROSSEL wrote:
> > > Well, the wrong password is not logged, only the login. I'd like to have the
> > > password too. And I'd prefer to have it logged in a SQL table :)
> > 
> > I'm afraid I won't put that in the distribution. Too close
> > to an invasion of privacy.
> 
> I don't have any stake in this but just noting that passwords are
> required in plaintext for APOP to work so I'm wondering what the
> distinction between having a misspelt password appear in a system log
> versus a system database is? IME, and of course this is generalising and
> anecdotal, access is generally laxer to DBs than system logs.

I'll repeat this one (just sent in off-list email to
Yann....)

On Mon, Dec 02, 2002 at 08:58:30PM +0100, Yann GROSSEL wrote:
> Mhh, but I already have all the passwords of all users in another table...

Ah, that's not my point.

Consider a user who tells their POP3 client to transmit an
incorrect password which is in fact their password for
some other service. That's a piece of information which
the server ought not reveal.

Obviously you can have tpop3d log this stuff if you want,
but I'm not happy to put it in the distributioAh, that's
not my point.

Consider a user who tells their POP3 client to transmit an
incorrect password which is in fact their password for
some other service. That's a piece of information which
the server ought not reveal.

Obviously you can have tpop3d log this stuff if you want,
but I'm not happy to put it in the distribution.

-- 
``Some people don't like an audience when they work. Enough of them have told
  me so with blunt instruments that I'm a phrenologist's dream come true.''
  (Calvin, as private eye Tracer Bullet, in Bill Waterson's Calvin and Hobbes)