08/21/2008, 11:15am, EDT
Thursday, August 21st
MobileMe lacking in browser security: no SSL
Apple's MobileMe service is lacking in a useful security measure, a new report suggests. Observers note that while the web component's login process is encrypted, it does not appear to use SSL (Secure Sockets Layer) or any other type of encryption when actually sending data. Theoretically, this means that a hacker sharing the same Wi-Fi hotspot could intercept data a person is sending via their web browser.
Webmail services from Yahoo and Microsoft are said to be lacking in this type of security as well, but the issue may be more substantial in the case of MobileMe, as users are transferring not just e-mail but calendars and contact information. This is not, however, a critical problem, according to Noam Rathaus, a CTO at Beyond Security. "I wouldn't say that it's a critical issue or something that's a reason not to use the service, but it's definitely something that should be addressed," he comments.
Wolfgang Kandek, CTO at another security company, Qualys, recommends that MobileMe users truly concerned about security send e-mail through alternate means. VPN connections may eliminate the problem, but only if they are configured to secure traffic to websites as well as corporate servers.
UPDATE:There are companies offering full session SSL protection, including free services such as Google's Gmail, according to a TidBITS article. The fact that this free service offers SSL protection, but the $100 MobileMe service does not, has been frustrating for many users. iChat was found to be secure, even through MobileMe, as long as one side isn't using an unsecured chat such as AIM.
Filed under: security, Graphics/Web Design, Apple
Other story tags: MobileMe, browsers, e-mail, VPN
, 
, 12
, 
, 
, 
, 
, 
Top
subscribe to comments
for this article
Page != Content
Remember where using a dynamic webapp : the page is not the content.
The actual web page is loaded with unsecured HTTP because it contains no data. The actual data, your sensitive email and other informations, is loaded by a JavaScript request as any AJAX application. This is the connection that must be secured.
In MobileMe, data is not loaded dynamically using AJAX (XmlHttpRequest) but by using JSON.
As you said, it does not APPEAR to use SSL but this does not mean it is not secured.
Wow, don't trust this guy
Wolfgang Kandek, CTO at another security company, Qualys, recommends that MobileMe users truly concerned about security send e-mail through alternate means. VPN connections may eliminate the problem, but only if they are configured to secure traffic to websites as well as corporate servers.
Hmm. CTO, at a security company, really? First, as the previous poster stated, he obviously hasn't looked very hard at the technology underlying Mobile Me. Second, it doesn't make much difference whether you send email over a VPN if it's just going to traverse the public internet. You don't want to be sending your email password in the clear (even though many people still do), but as for the contents of your email, unless you're encrypting it, using a VPN isn't going to do a whole lot for you.
In other words, I think the biggest security risk this article uncovers would be the advice of this "security expert".
Non-web-app MM
I believe that if you use the Mail app, you will get an SSL connection. Not sure what happens if you update an Address Book or Calendar entry. Should be investigated...
Re: Page != Content
Your explanation is one reason the internet is actually less secure these days. With embedded login frames (my bank uses one of these), the page isn't secure but 'supposedly' the login is. Exactly how can one tell? Oh, the padlock on the page and the text that says "Login data is sent securely!". Like you can trust a site that says "Your data is secure".
But, since MacNN is like a week behind in this 'breaking' story, if you read the articles and discussions on this elsewhere, it basically comes down to the login is done securely, but then all other activities is done in the open. This may not be much of an issue at home, but is when you are on any publicly accessible network.
And MobileMe isn't just mail, it is also access to your calendar, your contacts, and your idisk.
Re: Wow, don't trust this
The problem is that the most insecure part of the internet is the space between you and the provider. Sure, email is unencrypted bouncing around the giant internet, but you are more likely to run into DNS attacks, sniffers, etc, on your local network, not between Comcast's servers and Apple's servers, say.
Now, a lot of services aren't encrypted. And I'm not going to argue it necessarily should be. But how is it a bad thing for you to know that using MobileMe is being done insecurely. Because Apple certainly didn't tell you. And, as the first poster says, the underlying calls may or may not be, there's no way for the user to tell. But, apparently, knowledge is bad. It would be better if no one knew whether it was secure or not.
And it has been checked by people, and it has been shown to be unencrypted.
Re: non web-app
If you turn on security in your mail program (be it mail.app or anything else), it would be secure to the server. And, I believe that syncing is also done over a secure layer, but don't hold me to that.
I don't know about Push technology over wifi to an iphone/touch, though.
Bad science?
As those mentioned "security professionals" never bothered to try and intercept MobileMe data they can't say is it really encrypted or not. They notice the lack of SSL sign in browser during MobileMe web session and that's all what they have for research. Those are professionals? Unfortunately, for many readers they still are.
@testudo
"And it has been checked by people, and it has been shown to be unencrypted."
Cite your source. These so called "security experts" don't and neither do you. Instead, you retort "But, apparently, knowledge is bad. It would be better if no one knew whether it was secure or not."
The bottom line is that you don't know. "Knowledge" is not speculation that happens to agree with your point of view...
first poster
First poster is 100% correct.
Really?
this is the first you guys have heard of this? the discussion has been going on all week. testudo is right...