By John Gruber
Endpoint security for teams that value privacy, transparency, and employee productivity. Try Kolide for free today!
If I’m reading this right, using Yahoo’s “push” IMAP with an iPhone, your login credentials are put on the wire unencrypted. Update: Got it now: They’re not sent in the clear, but since it’s not sent over SSL, an attacker can capture (say, over Wi-Fi) your transactions with Yahoo and replay the authentication bits.
I can’t think of a good reason why email servers don’t mandate SSL nowadays; to have a service that doesn’t even support it is appalling.
★ Monday, 23 July 2007