Several posts in the comments to the above article (mine included) make the situation quite clear: The data exchanges between the MobileMe back-end and the user's browser are definitely not in any way encrypted. Data transactions travel "in the clear."
I won't bother boring anybody with the details: Jens Alfke and Thomas Robinson have both already done an excellent job of clarifying the actual facts involved. However, despite this, the spreading of misinformation seems to continue largely unabated. In comments and responses to these posts, "Prince McLean" backpedals slightly in claiming that he never claimed that MobileMe was actually encrypting data, but that he was rather merely referring to the authentication aspect of the JSON apps that would prevent somebody from spoofing a MobileMe server. However, in the original article he goes on to say:
The suggestion therefore obviously being that the JSON methodology he discusses is somehow better than SSL encryption, since SSL would not really do anything about "improving security."If Apple applied SSL encryption in the browser, it would only slow down every data exchange without really improving security, and instead only provide pundits with a false sense of security that distracts from real security threats.
Statements such as these would clearly lead most readers to believe that MobileMe is in fact securing their data. Certainly this was the impression that I was left with on an initial read, and I was obviously not alone in this as I originally found the article linked on Daring Fireball, where John Gruber was initially under the same impression.
More importantly that this, however, is the new flavour of misinformation that now seems to have spread as a follow-up. In reading the responses from "Prince McLean" it is apparent that his tactics have changed to suggesting that his comments about SSL not providing any enhanced security are based upon his feeling that there really is no need to encrypt traffic on the Internet -- that most "security experts" are really just evil sheisters promoting their own agendas by making us believe that sending confidential information around unencrypted is somehow a bad thing.
For instance, in a comment made by McLean in a response to Jens Alfke's post, he states:
The point that he seems to be missing here is that SSL encrypts your data in transit before it leaves your computer. The suggestion made elsewhere that Internet e-mail is inherently insecure anyway holds no water, since there's a world of difference between sniffing SMTP sessions at a backbone router and doing it between your computer and the server.You also would never say your credit card number over the phone when ordering a pizza because somebody might be listening into your unencrypted phone conversation. Right.
Of course, if somebody has the capacity to sniff your local network traffic, you have already been compromised. They're probably also going through your house taking DNA samples so they can clone you and replace you with a fake you.
The real goal of data security in this case is to secure the session between the end-user device and the destination server. This is the one area in which traffic is most vulnerable to interception and eavesdropping.
While one can acknowledge that the average user at home may be relatively unaffected by this (provided they're using a properly WEP or WPA-secured wireless network or a wired connection) the whole argument breaks down significantly when dealing with the mobile user hopping across WiFi access points. Most public WiFi hotspots are unprotected, and therefore any hacker with any number of easily-available tools can sit in the local Starbucks and sniff away at all the data travelling unencrypted over-the-air.
WEP and WPA exist for a reason, but these unfortunately get in the way of most public hotspots by requiring a password to be used, so more often than not no encryption is used at all in these locations.
This is further complicated by the proliferation of "free" WiFi hotspots out there that are actually being run independently, and some are even downright honeypots for intercepting and capturing whatever data they can. I have actually investigated a few of these, and while I'd be digressing by going into detail, the short version is that you should avoid any hotspot with a name like "Free Public Wi-Fi Access" like the plague.
As for real vs perceived threats, the balance is in creating a false sense of security versus recognizing that there really is no security present in this case. Suggesting with a bunch of bafflegab that the JSON exchanges are as secure as an SSL connection is definitely providing a false sense of security, luring the user into assuming that the transactions between the browser and MobileMe servers are every bit as secure as those with an HTTPS service like GMail, when in fact this is patently untrue.
Now, for most of the transactions that I would engage in via a web browser in a public location, I probably don't care all that much, but at the same time it's important that people understand that sending out e-mails that might contain sensitive information is a bad idea in these situations. Educating people on the risks of such things is never a bad thing, while spreading apologist propaganda that leads people to believe their data is secure when it's obviously not goes much too far in the opposing direction.
(Disclaimer: I am a security consultant as part of my day job. I write for iLounge as a part-time hobby. My full-time job is doing IT Consulting for major corporations and Canadian Federal Government agencies. My credentials include discovering one of the only security flaws ever found in Novell's GroupWise product).