By John Gruber
Endpoint security for teams that value privacy, transparency, and employee productivity. Try Kolide for free today!
- Yahoo/iPhone ‘Push’ IMAP Doesn’t Use SSL?
-
If I’m reading this right, using Yahoo’s “push” IMAP with an iPhone, your login credentials are put on the wire unencrypted. Update: Got it now: They’re not sent in the clear, but since it’s not sent over SSL, an attacker can capture (say, over Wi-Fi) your transactions with Yahoo and replay the authentication bits.
I can’t think of a good reason why email servers don’t mandate SSL nowadays; to have a service that doesn’t even support it is appalling.
★ Monday, 23 July 2007