August 2008
-
The Real Problem with MobileMe Security (or lack thereof)
Over the past couple of days, a debate has been raging over the security (or lack thereof) on MobileMe’s web services. While it’s obvious to anybody who is paying attention that the MobileMe web services do not use an SSL connection to secure any data beyond your password, a recent article by “Prince McLean” at AppleInsider implies that this is actually of no concern as the JSON data exchanges between the client and server apps are themselves secure:
Data transaction security in MobileMe’s web apps is based upon authenticated handling of JSON data exchanges between the self contained JavaScript client apps and Apple’s cloud, rather than the SSL web page encryption used by HTTPS. The only real web pages MobileMe exchanges with the server are the HTML, JavaScript, and CSS files that make up the application, which have no need for SSL encryption following the initial user authentication. This has caused some unnecessary panic among web users who have equated their browser’s SSL lock icon with web security. And of course, Internet email is not a secured medium anyway once it leaves your server.
Of course, whenever a comment like this is made, you can rest assured that there will be more than a few people who will be eager to check it out — in many cases simply out of idle curiosity.
Several posts in the comments to the above article (mine included) make the situation quite clear: The data exchanges between the MobileMe back-end and the user’s browser are definitely not in any way encrypted. Data transactions travel “in the clear.”