updated 11:15 am EDT, Thu August 21, 2008
MobileMe browser security
Apple's MobileMe service is lacking in a useful security measure, a new report suggests. Observers note that while the web component's login process is encrypted, it does not appear to use SSL (Secure Sockets Layer) or any other type of encryption when actually sending data. Theoretically, this means that a hacker sharing the same Wi-Fi hotspot could intercept data a person is sending via their web browser.
Webmail services from Yahoo and Microsoft are said to be lacking in this type of security as well, but the issue may be more substantial in the case of MobileMe, as users are transferring not just e-mail but calendars and contact information. This is not, however, a critical problem, according to Noam Rathaus, a CTO at Beyond Security. "I wouldn't say that it's a critical issue or something that's a reason not to use the service, but it's definitely something that should be addressed," he comments.
Wolfgang Kandek, CTO at another security company, Qualys, recommends that MobileMe users truly concerned about security send e-mail through alternate means. VPN connections may eliminate the problem, but only if they are configured to secure traffic to websites as well as corporate servers.
UPDATE:There are companies offering full session SSL protection, including free services such as Google's Gmail, according to a TidBITS article. The fact that this free service offers SSL protection, but the $100 MobileMe service does not, has been frustrating for many users. iChat was found to be secure, even through MobileMe, as long as one side isn't using an unsecured chat such as AIM.