Posts

Showing posts from May, 2012

MailAnyoneAnywhere: a generous idea

But that does not make the idea actually usable. Beside using SMTP/TLS instead of plain SMTP, the implementation lacks security awareness (having to - securely - use hardcoded credentials alone is a software challenge already, proposing the application to the "general public" is... naive?)
"Mail Anywhere has its own Gmail® account!" is on the other hand... "incorrect": Mail Anywhere (the binary I could download on April, 22 2012 at least - still unchanged today) uses an account at mail.steppschuh.net (I didn't bother to check whether the statement was true for the previous version).

It is remarkable that nobody among the reviewers and software download sites "noticed" this: there is no communication with any google/gmail server whatsoever.

What I called a "security advisory" in my previous post is the simple consideration that the absence of certificate validation leaves no means to prevent the TLS session to be transparently proxy…