http://www.heise.de/security/meldung/Ap ... 12766.html

Apple do not provide encrypted communication for their email service on iCloud. The emails are sent in the clear to the Apple servers, allowing them to be intercepted on route - either by open wi-fi spots with no password protection or on the backbone by the likes of the NSA.

For the delivery of emails over .mac.com, .me.com and icloud.com the mail server do not offer the starttls option for encrypting mails. So even if the sender's mail server supports sending encrypted email, they have to send the email in the clear to the Apple servers. Interestingly, outgoing mails over mail-out.apple.com can be encrypted.

The IMAP and SMTP protocols for the users retrieving and sending email from their Apple accounts are partially secure, but do not support Perfect Forward Security and they only use the cracked RC4 encryption and TLS1.0 (also cracked).

The Webmail server is the most secure, it still doesn't support Perfect Forward Security (which ensures a unique key is used for each transaction, as opposed to the public keys from the server and client), but it does at least support TLS 1.2 (for browsers that support it - Firefox and Safari were slow to get this although they have both been upgraded recently) and HSTS (HTTP Strict Transport Security).

Apple's press office declined to comment, the Apple security team at least gave the reply "thank you for the suggestion for improving security."

So while Apple might not have allowed the NSA to install backdoors this hardly counts as a deterrent to the NSA. Since all my mail goes through Apple servers I am not happy about this.

You really shouldn't be using a third party free email service for things that you consider commercially sensitive or confidential to be honest. That kind of security is exactly the kind of thing you pay for. Look at it this way : There's no actual difference between iCloud and Hotmail and would you put confidential/sensitive information in a hotmail account?

Aside from that, I find the critique lazy in several regards. Conflating sending & receiving email as a client with MTA transfer is stupid. There's a world of difference between you sat in web cafe sending an email over their free wifi and Apple/Google/Hotmail sending millions of emails out to thousands of destinations every day. In fact, by default on Apple devices using iCloud, the former is reasonably secured. The latter isn't but then in this case Apple's security is no better or worse than 99% of the other email services in the world. The vast majority of email providers do not use encryption while doing MTA transfer of email, let alone specific strong forms of encryption. If you're sending or receiving a few emails, the overhead of encryption isn't noticeable. If you're sending or receiving millions of emails every day, the overhead becomes enormous and most providers simply don't do it at all. Fundamentally Apple is no better or worse than the vast majority of other email providers. This is not an 'Apple' problem in the same way as the recent SSL vulnerability was, it's a general problem predicated on the fact SMTP was never designed to be a secure protocol. To headline this as an Apple issue is the worst sort of click-baiting. Even worse if it makes Android or PC users think they are more secure, because they aren't.

if you want your email to be secure and free from even the possibility of eavesdropping, you either have to encrypt it at source (PGP, S/MIME) etc) or you have to pay a service that does it for you. It's that simple.

My bad, I mixed up the two parts of the article, you are correct, mta wouldn't normally take place over wifi.

As to others not being any better, does that mean it is okay to ignore security, just because everybody else does? They were probably chosen as an example, because of the keylogging and SSL problems last week. You are correct, every mail provider needs to improve their game.

Fair enough.


No, but it makes it pretty false to single out one company specifically over it. As I say it's a very common limitation due (effectively) to the age of the SMTP protocol. If Apple did switch to 'hard' encryption, how much of the SMTP traffic sloshing round the internet would that affect? This is not an 'Apple' problem, it's an 'email' problem. Explain and publicise it as an email problem.


Call me cynical, but I think they were chosen because if you put "Apple' in the headline you get more clicks.


Problem is it's not something that piecemeal adoption of actually works to spread standard practice. There's nobody that's in control of email the way the W3C are with the web. If there were, I think we'd probably already have encrypted transmission as the standard by now.