Zimbra Desktop sends Yahoo password in the clear (not secure)
Slashdot article about the security issue
Zimbra is sending Yahoo username and passwords in the clear (ie: not encrypted) when syncing with Yahoo Mail. In other words, you shouldn't use Zimbra Desktop to check for Yahoo mail on a public network and I'd be wary to do so even on a private one.
Please have Zimbra log in using secure IMAP.
that was a bit harsh, did you read the entirety of my post?
As my blog post states I notified Yahoo! during my "hacku" presentation. They didn't seem concerned, nor did they talk with me afterwords. Regardless, users need to be informed of this since it exposes there account information, and they should take steps to avoid this (like not using Zimbra over wireless until the fix is in). I find the suggestion that I'm not responsible, a little harsh. I fail to see the sensationalism, in my blog post or in the slashdot story, perhaps I am just blinded by my interest in this matter.
Originally Posted by jholder
Rather than brushing me off complaining about a lack of encryption, I think it would have been a better course of action for Yahoo!/Zimbra to publicly disclosed this information to its users after I informed them, and switched the IMAP servers to require SSL to get people to download an update. Then everyone is happy (except for the bad guys).
Any chance of having my other questions answered about the Yahoo IMAP servers? I realize its a bit of loaded question, but it would be cool if I could still use Yahoo IMAP servers for my anti-spam project, if not I understand the business reasons behind it (gotta make money for those pro-accounts).
Regardless, lets be civil, hot tempers are never a good thing. If we're in the same city sometime soon give me a shout, I'll buy you a pint of beer :)