Bugtraq mailing list archives

Re: Apple OSX and iDisk and Mail.app

From: Dale Southard <southard1 () llnl gov>
Date: 24 Jul 2002 13:48:10 -0700

merlyn () stonehenge com (Randal L. Schwartz) writes:

Net effect: your iDisk password is transmitted in the clear without
your awareness, albeit as a mail password.

Problems:

- mac.com SMTP doesn't support encrypted passwords


Are you sure?

  myhost{dsouth}:  telnet smtp.mac.com 25
  Trying 204.179.120.48...
  Connected to smtp.mac.com.
  Escape character is '^]'.
  220 ESMTP service
  ehlo foo.bar
  250-asmtp02.mac.com
  250-PIPELINING
  250-ETRN
  250-DSN
  250-STARTTLS
  250-AUTH PLAIN LOGIN
  250 AUTH=LOGIN
  ^]
  telnet> quit
  Connection closed.

It looks like smtp.mac.com supports STARTTLS, which could be used to
armor the PLAIN/LOGIN authentication.  Granted, it isn't clear that
mail.app is capable of doing SSL/TLS when connecting to a SMTP server
for sends, but mail.app does support SSL/TLS for IMAP receives.


-- 

/*  Dale Southard Jr.  dsouth () llnl gov  925-422-1463, fax 422-9429  */
/*  Computer Scientist, Accelerated Strategic Computing Initiative  */
/*  L-073,  Lawrence Livermore National Lab,  Livermore CA   94551  */
/*  AFF/I, SL/I, T/I, D-11216, Sr. Rig --- I'd rather be skydiving  */

Current thread:

Apple OSX and iDisk and Mail.app Randal L. Schwartz (Jul 24)
- Re: Apple OSX and iDisk and Mail.app Dale Southard (Jul 24)
  - Re: Apple OSX and iDisk and Mail.app Daryl Tester (Jul 25)
- Re: Apple OSX and iDisk and Mail.app osx_guru (Jul 24)
- <Possible follow-ups>
- Re: Apple OSX and iDisk and Mail.app spam_bucket (Jul 24)
  - Re: Apple OSX and iDisk and Mail.app Eric Hall (Jul 25)