13
Yahoo/iPhone ‘Push’ IMAP Doesn’t Use SSL?

If I’m reading this right, using Yahoo’s “push” IMAP with an iPhone, your login credentials are put on the wire unencrypted. Update: Got it now: They’re not sent in the clear, but since it’s not sent over SSL, an attacker can capture (say, over Wi-Fi) your transactions with Yahoo and replay the authentication bits.

I can’t think of a good reason why email servers don’t mandate SSL nowadays; to have a service that doesn’t even support it is appalling.

Monday, 23 July 2007