IMAP and 'security concerns'
I posted this in General Discussion and got no responses so, since it effects the iPhone's perceived value, I thought I'd try here.
What is the security problem with imap? This is quoted as 'fact' is so many places I wanted to understand it. I've googled and looked and asked and can't get a valid answer to what the 'security concern's' with IMAP are. If you use SSL IMAP what is the problem? Does anyone really know or is this another Urban security legend? I would really like to know.
Is the security issue just with MSft's implementation on Exchange? Another reason I'd like to know is our business has IMAP SSL (postfix/cyrus) running to the world and I'd at least like to assess the risk/benefit.
Thanks for any input.
What is the security problem with imap? This is quoted as 'fact' is so many places I wanted to understand it. I've googled and looked and asked and can't get a valid answer to what the 'security concern's' with IMAP are. If you use SSL IMAP what is the problem? Does anyone really know or is this another Urban security legend? I would really like to know.
Is the security issue just with MSft's implementation on Exchange? Another reason I'd like to know is our business has IMAP SSL (postfix/cyrus) running to the world and I'd at least like to assess the risk/benefit.
Thanks for any input.
Comments
Which is kind of funny, really.
Most MS wonks who I've called on this BS don't even *know* about SSL IMAP. They just thought that everything has to be cleartext, all the time. I even had one person tell me that "IMAP doesn't even take a password". Uh huh.
Unfortunately, this is a case of a few blowhard anal-ysts (it's like an anal cyst, without the 'c') spouting off on things they don't know about, and then it getting repeated enough that nobody bothers to fact check.
It's FUD, pure and simple. It comes from MS IT people assuming that if it ain't blessed by Redmond, it's an insecure mess.
Which is kind of funny, really.
Most MS wonks who I've called on this BS don't even *know* about SSL IMAP. They just thought that everything has to be cleartext, all the time. I even had one person tell me that "IMAP doesn't even take a password". Uh huh.
Unfortunately, this is a case of a few blowhard anal-ysts (it's like an anal cyst, without the 'c') spouting off on things they don't know about, and then it getting repeated enough that nobody bothers to fact check.
Thanks for the feedback. This certainly was my conclusion but it not a good idea to base a conclusion on 'no information' .
The first of these issues is that all of the email that is stored on an iPhone is done so as normal, unencrypted files, and the only password barrier is a 4 digit one for login. For the majority of people this is more than enough. But for high-profile execs who might be a target of corporate espionage, or people who carry highly sensitive documents (SSN lists, bank account numbers, etc) it is worth a criminal's time to target them then take the device apart and read out the data. Blackberry does this with all of their devices, and there are software add-ons for Palm and WindowsMobile devices that do this as well ("Good Software" is the vendor's name).
The second issue is that in the event that a mobile device is lost/stolen, the other vendors all have systems that can remotely instruct the device to wipe all of the data on the device the next time it connects to the mobile network. This is another layer of security precaution on top of the last one for people who might be targeted.
This all may sound paranoid, but there are a lot of businesses that have mandated this level of paranoia, and the iPhone does not provide it. Of course many people then read this sort of report, and get convinced that they are important enough to need this, and disqualify the iPhone out of hand, when that is not really a great evaluation of their needs.
It is true that a lot of people who are quoting that the iPhone's access to Exchange, or email in general makes it "insecure" think that this is an issue with the actual connection, and so of course they are wrong. But there is a kernel of truth in the original analysis: namely that the iPhone does not encrypt data on disk, and there is no "remote wipe" function.
The first of these issues is that all of the email that is stored on an iPhone is done so as normal, unencrypted files, and the only password barrier is a 4 digit one for login. For the majority of people this is more than enough. But for high-profile execs who might be a target of corporate espionage, or people who carry highly sensitive documents (SSN lists, bank account numbers, etc) it is worth a criminal's time to target them then take the device apart and read out the data. Blackberry does this with all of their devices, and there are software add-ons for Palm and WindowsMobile devices that do this as well ("Good Software" is the vendor's name).
The second issue is that in the event that a mobile device is lost/stolen, the other vendors all have systems that can remotely instruct the device to wipe all of the data on the device the next time it connects to the mobile network. This is another layer of security precaution on top of the last one for people who might be targeted.
This all may sound paranoid, but there are a lot of businesses that have mandated this level of paranoia, and the iPhone does not provide it. Of course many people then read this sort of report, and get convinced that they are important enough to need this, and disqualify the iPhone out of hand, when that is not really a great evaluation of their needs.
While all true, none of that has jack-all to do with IMAP. Which original analysis are you referring to, since it isn't in this thread?
What's funny is that all of the above also apply to laptops... yet no one runs around screaming about them. *shrug* (Yes, enterprise-level mail solutions do offer encrypted mail, etc, etc, but the person using Outlook, basic Exchange, or other common clients isn't getting those tools.)
It is true that a lot of people who are quoting that the iPhone's access to Exchange, or email in general makes it "insecure" think that this is an issue with the actual connection, and so of course they are wrong. But there is a kernel of truth in the original analysis: namely that the iPhone does not encrypt data on disk, and there is no "remote wipe" function.
The first of these issues is that all of the email that is stored on an iPhone is done so as normal, unencrypted files, and the only password barrier is a 4 digit one for login. For the majority of people this is more than enough. But for high-profile execs who might be a target of corporate espionage, or people who carry highly sensitive documents (SSN lists, bank account numbers, etc) it is worth a criminal's time to target them then take the device apart and read out the data. Blackberry does this with all of their devices, and there are software add-ons for Palm and WindowsMobile devices that do this as well ("Good Software" is the vendor's name).
The second issue is that in the event that a mobile device is lost/stolen, the other vendors all have systems that can remotely instruct the device to wipe all of the data on the device the next time it connects to the mobile network. This is another layer of security precaution on top of the last one for people who might be targeted.
This all may sound paranoid, but there are a lot of businesses that have mandated this level of paranoia, and the iPhone does not provide it. Of course many people then read this sort of report, and get convinced that they are important enough to need this, and disqualify the iPhone out of hand, when that is not really a great evaluation of their needs.
While all true, none of that has jack-all to do with IMAP. Which original analysis are you referring to, since it isn't in this thread?
What's funny is that all of the above also apply to laptops... yet no one runs around screaming about them. *shrug* (Yes, enterprise-level mail solutions do offer encrypted mail, etc, etc, but the person using Outlook, basic Exchange, or other common clients isn't getting those tools.)
And if that's the concern then that's what should be reported because while a few 'top level executives' and other that MIGHT require security could remain stuck with their current solutions the rest of the market could switch to this more elegant solution with only the opening of iMAP. As Kickaha pointed out these security issues have NOTHING to do with IMAP.
THANK GOD!
Dave