Comments on: Yahoo's Zimbra e-mail program exposes passwords

Enterprising Canadian programmer exposes privacy issue for people using Zimbra to access Yahoo Mail during Yahoo university hack event.

[Solaris_User]

..but Zimbra uses SSL by default.. doesn't it?

[crazyirishhobo]

Zimbra uses SSL by default for other providers (like Gmail), but for some unknown reason doesn't with Yahoo! Neither Yahoo! nor Zimbra have been clear on why Yahoo! Desktop doesn't use SSL with Yahoo! mail (but oddly enough will with say Gmail :P)

[Solaris_User]

That's pretty bad then, does yahoo use ssl at all?

I'm of the opinion that all e-mail should be encrypted always.

[crazyirishhobo]

p.s. you might want to update http://www.zimbra.com/forums/109994-post2.html to http://www.zimbra.com/forums/general-questions/22736-zimbra-desktop-sends-yahoo-password-clear-not-secure.html

[michaelawsutton]

http://research.zscaler.com/2008/09/trusting-cloud.html [zscaler.com] When leveraging cloud based apps, in this case webmail, security is vital not only in the cloud but during transmission to the cloud. While this is often the responsibility of the enterprise itself, here is a situation where Yahoo! was responsible for all components (client and server) and still didn't get it right. Cloud computing will not succeed unless enterprises are able to trust those making online services available to them. Situations such as this, where security was clearly an afterthought, do not help to build the trust required for cloud computing to succeed.