Remember where using a dynamic webapp : the page is not the content.

The actual web page is loaded with unsecured HTTP because it contains no data. The actual data, your sensitive email and other informations, is loaded by a JavaScript request as any AJAX application. This is the connection that must be secured.

In MobileMe, data is not loaded dynamically using AJAX (XmlHttpRequest) but by using JSON.

As you said, it does not APPEAR to use SSL but this does not mean it is not secured.

Wolfgang Kandek, CTO at another security company, Qualys, recommends that MobileMe users truly concerned about security send e-mail through alternate means. VPN connections may eliminate the problem, but only if they are configured to secure traffic to websites as well as corporate servers.

Hmm. CTO, at a security company, really? First, as the previous poster stated, he obviously hasn't looked very hard at the technology underlying Mobile Me. Second, it doesn't make much difference whether you send email over a VPN if it's just going to traverse the public internet. You don't want to be sending your email password in the clear (even though many people still do), but as for the contents of your email, unless you're encrypting it, using a VPN isn't going to do a whole lot for you.

In other words, I think the biggest security risk this article uncovers would be the advice of this "security expert".

I believe that if you use the Mail app, you will get an SSL connection. Not sure what happens if you update an Address Book or Calendar entry. Should be investigated...

Your explanation is one reason the internet is actually less secure these days. With embedded login frames (my bank uses one of these), the page isn't secure but 'supposedly' the login is. Exactly how can one tell? Oh, the padlock on the page and the text that says "Login data is sent securely!". Like you can trust a site that says "Your data is secure".

But, since MacNN is like a week behind in this 'breaking' story, if you read the articles and discussions on this elsewhere, it basically comes down to the login is done securely, but then all other activities is done in the open. This may not be much of an issue at home, but is when you are on any publicly accessible network.

And MobileMe isn't just mail, it is also access to your calendar, your contacts, and your idisk.

The problem is that the most insecure part of the internet is the space between you and the provider. Sure, email is unencrypted bouncing around the giant internet, but you are more likely to run into DNS attacks, sniffers, etc, on your local network, not between Comcast's servers and Apple's servers, say.

Now, a lot of services aren't encrypted. And I'm not going to argue it necessarily should be. But how is it a bad thing for you to know that using MobileMe is being done insecurely. Because Apple certainly didn't tell you. And, as the first poster says, the underlying calls may or may not be, there's no way for the user to tell. But, apparently, knowledge is bad. It would be better if no one knew whether it was secure or not.

And it has been checked by people, and it has been shown to be unencrypted.

If you turn on security in your mail program (be it mail.app or anything else), it would be secure to the server. And, I believe that syncing is also done over a secure layer, but don't hold me to that.

I don't know about Push technology over wifi to an iphone/touch, though.

As those mentioned "security professionals" never bothered to try and intercept MobileMe data they can't say is it really encrypted or not. They notice the lack of SSL sign in browser during MobileMe web session and that's all what they have for research. Those are professionals? Unfortunately, for many readers they still are.

"And it has been checked by people, and it has been shown to be unencrypted."

Cite your source. These so called "security experts" don't and neither do you. Instead, you retort "But, apparently, knowledge is bad. It would be better if no one knew whether it was secure or not."

The bottom line is that you don't know. "Knowledge" is not speculation that happens to agree with your point of view...

First poster is 100% correct.

this is the first you guys have heard of this? the discussion has been going on all week. testudo is right...