By John Gruber
WorkOS is a modern identity platform for B2B SaaS, supporting SSO, SCIM, user management, and RBAC.
If I’m reading this right, using Yahoo’s “push” IMAP with an iPhone, your login credentials are put on the wire unencrypted. Update: Got it now: They’re not sent in the clear, but since it’s not sent over SSL, an attacker can capture (say, over Wi-Fi) your transactions with Yahoo and replay the authentication bits.
I can’t think of a good reason why email servers don’t mandate SSL nowadays; to have a service that doesn’t even support it is appalling.
★ Monday, 23 July 2007