[26299] in bugtraq
Re: Apple OSX and iDisk and Mail.app
daemon@ATHENA.MIT.EDU (osx_guru)
Wed Jul 24 17:51:15 2002
Date: Wed, 24 Jul 2002 16:36:19 -0500
Content-Type: text/plain; charset=US-ASCII; format=flowed
Mime-Version: 1.0 (Apple Message framework v482)
Cc: bugtraq@securityfocus.com
To: merlyn@stonehenge.com (Randal L. Schwartz)
From: osx_guru <osx_guru@mac.com>
In-Reply-To: <86vg75xg18.fsf@blue.stonehenge.com>
Message-Id: <63E0ED3C-9F4D-11D6-B510-0003931DC632@mac.com>
Content-Transfer-Encoding: 7bit
mac.com supports SSL which can be enabled through the
Preferences->accounts->your account-> edit button->account options
tab-> check box for "Use SSL"
I think that addresses your concern. Though you are correct in that
by default this password is transmitted in the clear, though most
consumer email clients do not have SSL or similar turned on by
default due to uncertainty about various mail server compliance.
jon
On Wednesday, July 24, 2002, at 11:10 AM, Randal L. Schwartz wrote:
>
> The password for an Apple iDisk is sent via HTTPS/WebDAV. However, if
> you configure OSX with an iDisk password, the same password is copied
> to the Mail.app configuration (which might not have been previously
> configured). Clicking on a "mailto" link fires up Mail.app, which
> then connects to mac.com which *does not* support any method of
> encrypted password transmission.
>
> Net effect: your iDisk password is transmitted in the clear without
> your awareness, albeit as a mail password.
>
> Problems:
>
> - mac.com SMTP doesn't support encrypted passwords
> - mac.com's mail password is *always* identical to iDisk password
> - OSX's "do what I mean" friendliness saves passwords without knowledge
>
> --
> Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503
> 777 0095
> <merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
> Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
> See PerlTraining.Stonehenge.com for onsite and open-enrollment
> Perl training!
