Dear Gaëtan LEURENT, --Tuesday, April 3, 2007, 8:18:04 PM, you wrote to 3APA3A@xxxxxxxxxxxxxxxx: GL> I meant practical in the sense that it does work in practice (it's not GL> an attack needing 2^80 computations or something like that), but I don't GL> know what are the practical implications of the attack :-) GL> (to begin with, I don't know if many people are using APOP). A number of POP3 servers support APOP, but most of them require some special configuration. And it seems like Mozilla attempts to use APOP if APOP banner is present in server reply and no secure protocol is configured. So yes, it's used, but mostly as an alternative to cleartext. Based on last 115000 sessions statistics for ISP's mail server with CRAM-MD5, APOP and NTLM support, ~7000 mailboxes: Cleartext: 96,3% APOP: 2,1% CRAM-MD5: 1% NTLM: 0.6% -- ~/ZARAZA http://securityvulns.com/
