MobileMe No SSL

[jc1350]

The built-in idisk connection on Mac (the pretty purple icon) uses http. To get https you have to map it via Finder like any other network share.

So, I guess I'm set. I'll let my trial run and pay for it near the end.

Silly that Apple doesn't default to https with the built-in idisk mapping

 

[cv01]

Has anyone mentioned this to them via the support chat?

Yes, the transcript is here:
http://www.rantsandstuff.com/2008/07/28/apples-mobileme-web-apps-dont-use-https/

 

[tony4d]

Hey everyone, appleinsider is reporting that ssl doesn't matter at me.com! I posted a comment about their article:

http://forums.appleinsider.com/showthread.php?p=1293874#post1293874

 

[TLewis]

Hey everyone, appleinsider is reporting that ssl doesn't matter at me.com!

Meh.

I think that article is so full of fail, that it's not worth responding to it.

 

[tony4d]

Meh.

I think that article is so full of fail, that it's not worth responding to it.

Its a good article, and the iPhone and MobileMe series of articles they've been doing are actually very good in my opinion. What's so bad about the article?

 

[Cadium]

Hey everyone, appleinsider is reporting that ssl doesn't matter at me.com! I posted a comment about their article:

http://forums.appleinsider.com/showthread.php?p=1293874#post1293874

It doesn't matter on the me.com website with the web applications but it does matter when you are using another mail client (Apple Mail, Mail on the iPhone, etc).

 

[TLewis]

What's so bad about the article?

Unbelievably bad security info, in my opinion.

 

[TLewis]

It doesn't matter on the me.com website with the web applications but it does matter when you are using another mail client (Apple Mail, Mail on the iPhone, etc).

I think you have that backwards: the me.com website doesn't appear to have security for most pages (logging in and account settings being the exceptions that I know about). I believe the mail clients can be secure, but I do not know if the default settings make them secure (you may have to change settings to make them secure).

 

[Cadium]

I think you have that backwards: the me.com website doesn't appear to have security for most pages (logging in and account settings being the exceptions that I know about). I believe the mail clients can be secure, but I do not know if the default settings make them secure (you may have to change settings to make them secure).

By default, when configuring a MobileMe account in Apple Mail or iPhone Mail, your account is configured to use SSL. The reason why the me.com web applications do not require SSL is that things are secured on a lower level (through the SproutCore JavaScript engine and JSON authentication).

 

[TLewis]

By default, when configuring a MobileMe account in Apple Mail or iPhone Mail, your account is configured to use SSL. The reason why the me.com web applications do not require SSL is that things are secured on a lower level (through the SproutCore JavaScript engine and JSON authentication).

Umm, I don't know if that is how things are "supposed to work, but doesn't" (you never know with MM ), or if it's just wrong, but:

If you use a lan analyzer, you can clearly see that your MM webmail is not encrypted. If you use a public wifi point, any bad guys around you can see your email. (And, yes, I just re-verified this.)
​

And that's the acid test: if anyone can use a trivial lan analyzer and see their email, then anyone else could possibly do so, too.

Also, to be secure, SSL would have to be used at some point. I think people are getting confused by the fact that an apparently unencrypted page (http) can use SSL behind the scenes, and that fact may not be apparent to the user. It may appear that SSL is not being used, but it can be.

 

[tony4d]

By default, when configuring a MobileMe account in Apple Mail or iPhone Mail, your account is configured to use SSL. The reason why the me.com web applications do not require SSL is that things are secured on a lower level (through the SproutCore JavaScript engine and JSON authentication).

I can tell you don't know what you're talking about and instead are just repeating what you heard or read somewhere. For one thing, a javascript library is not "lower level" than protocol encryption like ssl.

Anyway, this is exactly my point. If you look at the http requests and responses made when browsing around the me.com web apps you'll clearly see that all json requests and responses are NOT using ssl. They are all normal http requests and responses. Furthermore, there is no encryption being performed by the sproutcore library, and even if there was it would be completely useless, cause someone could still capture your requests and decrypt it!

FYI, I pointed out in a previous post that apple does provide imap with ssl. So yea, normal desktop apps can use ssl, which is wonderful Here though, we're talking about the me.com apps, which are completely open to man in the middle attacks that can snoop and steal your private data.