Victor Duchovni wrote:
It has been some time since I looked at this, hence the IIRC. Mulberry made the setting explicit, and perhaps allowed one to choose the right client cert. If I recall correctly, Thunderbird uses certificates silently, without explicit configuration control... I any case, this is not a very frequently used MUA feature.
That's pretty disappointing. Sounds like man-in-the-middle attacks might actually be doable then.
Would y'all be worried about the SASL authentication, given that the SSL layer has holes? I'm talking from a real-world perspective. Data - forget it, it's SMTP anyway. But the user/pass credentials - that's a different story.
Would you be comfortable sending authentication over this kind of SSL channel?
I'm trying pretty hard to avoid building a full-blown VPN just for the iPhone. I already use OpenVPN, but it doesn't work on the iPhone, so I would have to install / configure an IPSec thing from scratch if the iPhone doesn't play nice with SMTP / SSL / SASL. It's not rocket science but it's a lot of tedious work.
-- Florin Andrei http://florin.myip.org/