Security threat on mobile me?

[chameleon81]

This is what I read today... I dont have knowledge about computer security but this is what was claimed :


"
Apple does not encrypt data
that users send from browsers through MobileMe. The lack of SSL
(Secure Sockets Layer) or any other form of encryption means that if a
MobileMe user is connected to the Internet via a Wi-Fi hotspot,
someone else connected to the same hotspot could relatively easily see
all the data that the MobileMe user sends. "


Full post :http://groups.google.com/group/n3td3v/browse_thread/thread/0bcb900f2dc5271f

 

[Darwin]

Sadly this appears to be the case.

The Lack of SSL for a paid service holding information of value is certainly troublesome. I'm wondering if there is a good reason for the feature to be left out. I can't recall if even DotMac had full SSL capabilities.

Is it the hosting with Akamai servers which gives them pause? Since you need to have a Domain and IP matched together to have a SSL certificate and Akamai have quite a few of those.

Would that be the reason, I'm curious.

 

[chameleon81]

I believe that you can have a pool of IP addresses? ( my logic makes me believe, still no knowledge )

 

[Marie123456]

I just started using Mobile Me. Does this mean that you shouldn't have it set to automatically update in case you are in a hot spot?

 

[Daveoc64]

I read on AppleInsider (although I must say that the article was very biased towards Apple so I don't know how credible this is) that the way the site is designed SSL isn't needed for security as there's enough security in the AJAX that the site uses.

 

[RevK]

It is worth noting that MobileMe LOGIN is encrypted using SSL. (https://auth.apple.com).

The only information that theoretically could be compromised is calendar, email, account settings, contacts.

 

[Darwin]

I just started using Mobile Me. Does this mean that you shouldn't have it set to automatically update in case you are in a hot spot?

From what I've read it appears that it's only access to the Web applications at me.com which do not provide encryption. All the sync services from Mac, PC and iPhones are encrypted so you shouldn't have any worries there.

Just don't check your e-mail from the web browser.

 

[jc1350]

free public VPN

When I use an untrusted network (public wi-fi for example) I use the free VPN from http://www.hotspotshield.com/.

This a VPN I read about in a security article in Macworld Magazine (about 6 months ago).

This should help alleviate SOME of the fears (the connection from your laptop to hotspotshield is encrypted, so people on the same wi-fi network can't snoop your connection), but it doesn't fully address the lack of SSL (unencrypted from hotspotshield.com to me.com)

As for SSL itself: the server certificate is tied to the fully-qualified-host-name, not the IP address. You can also spend a lot of money to get a wildcard cert that is good for any host on the designated domain/sub-domain.

 

[Zengrok]

It is worth noting that MobileMe LOGIN is encrypted using SSL. (https://auth.apple.com).

The only information that theoretically could be compromised is calendar, email, account settings, contacts.

Account settings are secure: https://secure.me.com/account/

WiFi hotspots are dangerous for many reasons.