Guys, has anyone noticed that MobileMe (http://www.me.com) is not SSL for email or contacts ? Is anyone concerned by this - I am pretty worried about my emails/contacts being accessible by man in the middle type attacks.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
MobileMe No SSL
- Thread starter Beaner
- Start date
- Sort by reaction score
Yup. Seems like a pretty major omission for a service that's specifically aimed at roaming users. Much as I'd love to switch all my "cloud" computing over to me.com, this is pretty much a deal-breaker as far as I'm concerned - guess I'll be sticking with gmail.
Imagine how much more MobileMe would've got screwed up at launch if it was all SSL 
I was thinking this too and I wondered if the interface was unencrypted and all the "Web 2.0" goodness was done over SSL. But alas, Safari's activity menu shows it's all done unencrypted while the account area IS encrypted.
To not give an option is quite bad, since Google do for most of their services (I can understand why they don't send everyone over SSL by default - it would kill their servers most likely).
I was thinking this too and I wondered if the interface was unencrypted and all the "Web 2.0" goodness was done over SSL. But alas, Safari's activity menu shows it's all done unencrypted while the account area IS encrypted.
To not give an option is quite bad, since Google do for most of their services (I can understand why they don't send everyone over SSL by default - it would kill their servers most likely).
Bleh, I've been whining about this, here, for some time. Welcome to the club.
As far as I can tell, none of the web services are secure, except for the account services. However, it seems that non-web access to MobileMe can be secure. Synchronization (on the PC) appears to be secure, so that takes care of contacts and calendars (assuming, of course, that you've bought Outlook from Apple's competitor). Email access can be secure if you configure your client to use the secure mechanism:
IMAP: port 993, SSL
SMTP: port 587, TLS
Bottom line: if you only need contacts, calendar, and email, avoid the web interfaces, and you can be OK.SMTP: port 587, TLS
swingerofbirch
macrumors 68040
I just got that, clicked Continue and nothing happened ... haven't been able to connect to email for about 15 minutes now.
SSL isn't working for me. I have had many intermittent issues with SSL over the last few months, both at home (on 2 computers) and at work. Apple really needs to get their act together.Bleh, I've been whining about this, here, for some time. Welcome to the club.
As far as I can tell, none of the web services are secure, except for the account services. However, it seems that non-web access to MobileMe can be secure. Synchronization (on the PC) appears to be secure, so that takes care of contacts and calendars (assuming, of course, that you've bought Outlook from Apple's competitor). Email access can be secure if you configure your client to use the secure mechanism:
IMAP: port 993, SSLBottom line: if you only need contacts, calendar, and email, avoid the web interfaces, and you can be OK.
SMTP: port 587, TLS
swingerofbirch
macrumors 68040
MobileMe Status hasn't been updated but you can always find the latest on these issues at http://leblogdufailure.blogspot.com
Bleh, I've been whining about this, here, for some time. Welcome to the club.
As far as I can tell, none of the web services are secure, except for the account services. However, it seems that non-web access to MobileMe can be secure. Synchronization (on the PC) appears to be secure, so that takes care of contacts and calendars (assuming, of course, that you've bought Outlook from Apple's competitor). Email access can be secure if you configure your client to use the secure mechanism:
IMAP: port 993, SSLBottom line: if you only need contacts, calendar, and email, avoid the web interfaces, and you can be OK.
SMTP: port 587, TLS
I did not remember setting these values in Outlook but they are set that way. Maybe it is the default for IMAP Connections. Checked my iPhone and that is the automatic settings as well.
I guess another reason to avoid the MM Web Interface (which I do anyway).
Push email on my iPhone works, as does the MobileMe Website.
Mail.app can't connect to mail server...
Mail.app can't connect to mail server...
This is pure madness if you are in an unprotected Wifi-spot, omg, and the number of replies here show something even worse: people don't even care...
I care. I've been playing with the trial account and can say I have had zero problems with MobileMe (none that I really noticed anyway). I signed up under .mac just 2 days before the big switch.
Anyway, this lack of SSL on the webapps really makes no sense. They enabled it with the account management part. It really bugs me that a FOR-FEE service provided by a technology company doesn't bother to offer SSL.
I have a real problem - I love the photo gallery in mobileme. It's pefect for what I do (family stuff). But, I won't pay one penny without SSL. It's just stupid.
Yet one more thing you get for free from Google et al. that you don't get by paying Apple.
Uh, as much as I like google, I don't think google's web albums (picasa) supports SSL, either.
Google supports SSL for some things, but not others.
For the writing of files, they should (at least the logon process). It's the logon that needs the encryption the most. With mobile me, it doesn't matter if you're logging in for mail or to upload photos...it's one unified logon that should be protected.
Well, the MM web logins do appear to be secure, although everything afterword seems to be unencrypted, except for the account settings. I assume that google's logins are also secure, but I don't know that for a fact (gmail and reader can be secure -- don't know about anything else).
You're right...I was too stupid to notice. the logon does use ssl. Well...I'll stop my bitching now.
Although I do wish iDisk used encryption for uploads and downloads for the non-public directories.
I noticed this right away:
https://forums.macrumors.com/threads/518376/
Although, I hadn't setup mobileme with a desktop mail client yet. I just did because someone claimed imap ssl (port 993) worked. In fact, it does Thanks for the heads up on that.
Anyway, yea, of course login and account management is ssl. That's been web 101 for some time. None of the web apps being ssl is just dumb though. I realize google does the same thing with the gmail web interface, but that's not an excuse.
These are all consumer services, sure, but that doesn't mean I'm not just as concerned about privacy as businesses are. I don't know about you guys, but I want to know that my private data is traveling across the internet encrypted!
https://forums.macrumors.com/threads/518376/
Although, I hadn't setup mobileme with a desktop mail client yet. I just did because someone claimed imap ssl (port 993) worked. In fact, it does
Thanks for the heads up on that.Anyway, yea, of course login and account management is ssl. That's been web 101 for some time. None of the web apps being ssl is just dumb though. I realize google does the same thing with the gmail web interface, but that's not an excuse.
These are all consumer services, sure, but that doesn't mean I'm not just as concerned about privacy as businesses are. I don't know about you guys, but I want to know that my private data is traveling across the internet encrypted!
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_0_1 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5B108 Safari/525.20)
How about using Encrypted ZIP files for iDisk backup or shared storage?
jc1350 said:
You're right...I was too stupid to notice. the logon does use ssl. Well...I'll stop my bitching now.
How about using Encrypted ZIP files for iDisk backup or shared storage?
Well, vista can use https for idisk access, and so I assume that OS X can, too, but I don't know how.You're right...I was too stupid to notice. the logon does use ssl. Well...I'll stop my bitching now.
Well, you can do that, but aren't encrypted zip files pretty insecure, too?
You're probably better off using truecrypt or gpg.
Not if you use the STRONG AES Encrypted ZIP Files. New for PKZIP and WinZip for the last 3-5 years (not sure exactly when it came out. The older encryption (which is what I think you are talking about) was not that strong.
However, when I wrote that I was't thinking that you can use SSL for iDisk. At least I can on Windows Network Drive. I am on Vista. So if you have no need to make the files smaller you can just use SSL.