Apple OSX and iDisk and Mail.app

• Previous message: jeplerat_private: "VNC authentication weakness"
• Next in thread: Dale Southard: "Re: Apple OSX and iDisk and Mail.app"
• Reply: Dale Southard: "Re: Apple OSX and iDisk and Mail.app"
• Reply: osx_guru: "Re: Apple OSX and iDisk and Mail.app"
• Reply: spam_bucketat_private: "Re: Apple OSX and iDisk and Mail.app"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The password for an Apple iDisk is sent via HTTPS/WebDAV.  However, if
you configure OSX with an iDisk password, the same password is copied
to the Mail.app configuration (which might not have been previously
configured).  Clicking on a "mailto" link fires up Mail.app, which
then connects to mac.com which *does not* support any method of
encrypted password transmission.

Net effect: your iDisk password is transmitted in the clear without
your awareness, albeit as a mail password.

Problems:

- mac.com SMTP doesn't support encrypted passwords
- mac.com's mail password is *always* identical to iDisk password
- OSX's "do what I mean" friendliness saves passwords without knowledge

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlynat_private> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

• Next message: Auriemma Luigi: "Pegasus mail DoS"
• Previous message: jeplerat_private: "VNC authentication weakness"
• Next in thread: Dale Southard: "Re: Apple OSX and iDisk and Mail.app"
• Reply: Dale Southard: "Re: Apple OSX and iDisk and Mail.app"
• Reply: osx_guru: "Re: Apple OSX and iDisk and Mail.app"
• Reply: spam_bucketat_private: "Re: Apple OSX and iDisk and Mail.app"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 24 2002 - 12:16:33 PDT