Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Anyone can send email as anyone else anyway. That lack of security is inherent in the way email currently works. Not sure I see how giving IMAP access makes things worse since IMAP doesn't have a mechanism for sending messages.

I would also hope they're not storing passwords in plaintext. Obviously they need access to the plaintext password to auth with your mail server, but I would hope this is still stored encrypted.



> Anyone can send email as anyone else anyway.

Many emails are signed with DKIM now, which does help with verifiability.

> but I would hope this is still stored encrypted

Encryption is pointless when the keys for decryption are on the same server. Given their hack in 2012, I doubt there's any protection at all.


Which is why the key should be physically given to the system when it is started and then only stored in memory. The key file should not be available on any network-attached machine. Of course there's still potential for exploits in this scenario, but it does help minimize the attack surface.


Given their response several parents up, it's being stored on disk permanently.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: