toggle

AAPL Stock: 131.78 ( -0.26 )

Printed from http://www.macnn.com

MobileMe lacking in browser security: no SSL

updated 11:15 am EDT, Thu August 21, 2008

MobileMe browser security

Apple's MobileMe service is lacking in a useful security measure, a new report suggests. Observers note that while the web component's login process is encrypted, it does not appear to use SSL (Secure Sockets Layer) or any other type of encryption when actually sending data. Theoretically, this means that a hacker sharing the same Wi-Fi hotspot could intercept data a person is sending via their web browser.

Webmail services from Yahoo and Microsoft are said to be lacking in this type of security as well, but the issue may be more substantial in the case of MobileMe, as users are transferring not just e-mail but calendars and contact information. This is not, however, a critical problem, according to Noam Rathaus, a CTO at Beyond Security. "I wouldn't say that it's a critical issue or something that's a reason not to use the service, but it's definitely something that should be addressed," he comments.

Wolfgang Kandek, CTO at another security company, Qualys, recommends that MobileMe users truly concerned about security send e-mail through alternate means. VPN connections may eliminate the problem, but only if they are configured to secure traffic to websites as well as corporate servers.

UPDATE:There are companies offering full session SSL protection, including free services such as Google's Gmail, according to a TidBITS article. The fact that this free service offers SSL protection, but the $100 MobileMe service does not, has been frustrating for many users. iChat was found to be secure, even through MobileMe, as long as one side isn't using an unsecured chat such as AIM.




by MacNN Staff

toggle

Comments

  1. Guest

    Joined: Dec 1969

    +5

    Page != Content

    Remember where using a dynamic webapp : the page is not the content.

    The actual web page is loaded with unsecured HTTP because it contains no data. The actual data, your sensitive email and other informations, is loaded by a JavaScript request as any AJAX application. This is the connection that must be secured.

    In MobileMe, data is not loaded dynamically using AJAX (XmlHttpRequest) but by using JSON.

    As you said, it does not APPEAR to use SSL but this does not mean it is not secured.

  1. QualleyIV

    Joined: Dec 1969

    +1

    Wow, don't trust this guy

    Wolfgang Kandek, CTO at another security company, Qualys, recommends that MobileMe users truly concerned about security send e-mail through alternate means. VPN connections may eliminate the problem, but only if they are configured to secure traffic to websites as well as corporate servers.

    Hmm. CTO, at a security company, really? First, as the previous poster stated, he obviously hasn't looked very hard at the technology underlying Mobile Me. Second, it doesn't make much difference whether you send email over a VPN if it's just going to traverse the public internet. You don't want to be sending your email password in the clear (even though many people still do), but as for the contents of your email, unless you're encrypting it, using a VPN isn't going to do a whole lot for you.

    In other words, I think the biggest security risk this article uncovers would be the advice of this "security expert".

  1. wfolta

    Joined: Dec 1969

    +3

    Non-web-app MM

    I believe that if you use the Mail app, you will get an SSL connection. Not sure what happens if you update an Address Book or Calendar entry. Should be investigated...

  1. testudo

    Joined: Dec 1969

    -5

    Re: Page != Content

    Your explanation is one reason the internet is actually less secure these days. With embedded login frames (my bank uses one of these), the page isn't secure but 'supposedly' the login is. Exactly how can one tell? Oh, the padlock on the page and the text that says "Login data is sent securely!". Like you can trust a site that says "Your data is secure".

    But, since MacNN is like a week behind in this 'breaking' story, if you read the articles and discussions on this elsewhere, it basically comes down to the login is done securely, but then all other activities is done in the open. This may not be much of an issue at home, but is when you are on any publicly accessible network.

    And MobileMe isn't just mail, it is also access to your calendar, your contacts, and your idisk.

  1. testudo

    Joined: Dec 1969

    -4

    Re: Wow, don't trust this

    The problem is that the most insecure part of the internet is the space between you and the provider. Sure, email is unencrypted bouncing around the giant internet, but you are more likely to run into DNS attacks, sniffers, etc, on your local network, not between Comcast's servers and Apple's servers, say.

    Now, a lot of services aren't encrypted. And I'm not going to argue it necessarily should be. But how is it a bad thing for you to know that using MobileMe is being done insecurely. Because Apple certainly didn't tell you. And, as the first poster says, the underlying calls may or may not be, there's no way for the user to tell. But, apparently, knowledge is bad. It would be better if no one knew whether it was secure or not.

    And it has been checked by people, and it has been shown to be unencrypted.

  1. testudo

    Joined: Dec 1969

    -3

    Re: non web-app

    If you turn on security in your mail program (be it mail.app or anything else), it would be secure to the server. And, I believe that syncing is also done over a secure layer, but don't hold me to that.

    I don't know about Push technology over wifi to an iphone/touch, though.

  1. ViktorCode

    Joined: Dec 1969

    +2

    Bad science?

    As those mentioned "security professionals" never bothered to try and intercept MobileMe data they can't say is it really encrypted or not. They notice the lack of SSL sign in browser during MobileMe web session and that's all what they have for research. Those are professionals? Unfortunately, for many readers they still are.

  1. QualleyIV

    Joined: Dec 1969

    +4

    @testudo

    "And it has been checked by people, and it has been shown to be unencrypted."

    Cite your source. These so called "security experts" don't and neither do you. Instead, you retort "But, apparently, knowledge is bad. It would be better if no one knew whether it was secure or not."

    The bottom line is that you don't know. "Knowledge" is not speculation that happens to agree with your point of view...

  1. BelugaShark

    Joined: Dec 1969

    +3

    first poster

    First poster is 100% correct.

  1. cmoney

    Joined: Dec 1969

    -2

    Really?

    this is the first you guys have heard of this? the discussion has been going on all week. testudo is right...

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

Follow us on Facebook

toggle

Most Popular

Advertisement

Recent Reviews

Notti smart lamp from Witti

Perhaps you've already seen our review of the Dotti LED display from Witti Design. Meet Notti, Dotti's "sibling". Notti is a softb ...

Seagate Personal Cloud (2-Bay)

When it comes to backing up files, many users are now looking to the myriad of cloud storage solutions available. There is no doubt th ...

Leitz Icon Label Printer

When you say the words "label printer" to people, they either just really don't care, or they get incredibly excited. This is one o ...

toggle

Most Commented