December 22, 2008 - Phil Hodgen

Insecurity in hosted Exchange

We use a hosted Exchange server and hosted Sharepoint to run our office. It is vastly superior to owning our own server. Cheaper, too.

However, the Jasager project has me antsy. Right now I am sitting in the Starbucks at the corner of Lake and California in Pasadena. I’m only logging in where https:// is allowed. So Gmail (yes), Google Reader (no), etc. Bank, no.

Short summary of Jasager: dead simple method of playing the MITM game, with me as the person NOT in the middle. Username/password pairs sniffed, etc.

T-Mobile wifi, FWIW. But I have the free “drink a coffee get 2 hours free wifi on ATT” deal as well.

The vendor we use for hosted Exchange does not allow login via https. So I’m not logging into Sharepoint. I’m not firing up Entourage (an execrable program all by itself).

Defenses are limited. See this article.

I’m thinking of getting an EVDO card to protect against this. The EVDO card will also plug into a wifi router at the office to give all of us internet backup if/when the big pipe fails.


(1) Are there any hosted Exchange providers that give security above the generic plain old insecure http:// login?

(2) Who else feels hinky when they’re on the road with wifi blazing?