Apple’s MobileMe Web Apps don’t use HTTPS

July 28th, 2008

UPDATED 4:40 PM CST 29 July

A commenter pointed out that since the MobileMe web application is an AJAX based website that maybe the asynchronous calls for data are being made over SSL.  He had a very valid point and we had not verified this information prior to making the post and I said we’d check into it.  What I found was that we were half right.  The short version is that initial login information and all of the pages that contain personal information such as billing information, passwords, credit card info, etc. are all SSL encrypted.  However, everything else is NOT encrypted.  Reading and editing email for instance is not encrypted.  The following is the entire chat transcript between myself and a very helpful Apple Support operator, Jean:

To read our original post click there —>

General Info
Chat start time Jul 29, 2008 1:22:20 PM EST
Chat end time Jul 29, 2008 1:55:56 PM EST
Duration (actual chatting time) 00:33:36
Operator Jean
Chat Transcript
info: queue_cmd:27:16:40
info: queue_cmd:23:16:58
info: queue_cmd:20:16:7
info: queue_cmd:18:15:10
info: queue_cmd:17:14:7
info: queue_cmd:16:13:23
info: queue_cmd:12:15:2
info: queue_cmd:10:13:36
info: queue_cmd:9:11:25
info: queue_cmd:7:9:33
info: queue_cmd:3:7:40
info: Hi, my name is Jean. Welcome to Apple!
Jean: Hello Brad
Jean: You have a question about security?
Jean: Have you previously contacted MobileMe support (either by chat or by email) regarding this question?
Brad Allen: no, i have not contacted you before
Jean: Let me find some info for you on MobileMe’s security.
Jean: Be right back.
Brad Allen: my question is, I’ve read that you login information is sent via HTTPS but after that it’s pretty much just regular HTTP. the mobileme web app is an AJAX application so I was curious if the “behind the scenes” information is sent via SSL but the basic template of the page is just non-SSL
Jean: Okay, here comes a list of items for you to read:
Jean: MOBILEME SITE When you type your MobileMe member name and password in the MobileMe login page and click Login, your information is sent to Apple using secured 128-bit Secure Sockets Layer (SSL) encryption. This is true even though the MobileMe login page doesn’t have the symbols that typically denote a secure connection.
Jean: In the account settings area of MobileMe, all of the pages that contain your personal information, billing information, credit card information, and so on are all encrypted as well.
Brad Allen: one sec, sorry, i’m at work…
Jean: okay
Brad Allen: ok, so the login portion and the account settings area are all secure, but not everything else? like if i’m just viewing an emai or something, that’s not over HTTPS?
Jean: Here is some more info:
Jean: As with the rest of the MobileMe site, the login page for MobileMe Mail is encrypted. The messages you read or send are not encrypted, however.
Jean: If you change the beginning of the address of the MobileMe Mail from “http://” to “https://”, you may notice that your browser now displays a lock icon. This does not make your connection any more or any less secure, however.
Brad Allen: interesting. ok, i think that’s all the info i need. thank you for your time. can this chat transcript be sent to the email address i provided?
Jean: Yes.
Jean: Thank you for chatting with me.  Please click the blue “Close” button at top left to answer a few questions about the assistance I provided during this chat. You will also have the option to request a copy of the transcript be emailed to you.
Brad Allen: excellent, thank you.

Walt Mossberg wrote a review of Apple’s $99/year MobileMe service. If you’re thinking about getting the service his review is worth a look because it’s pretty thorough however, it doesn’t mention this:

My biggest complaint about the MobileMe web apps is that after logging in, everything goes over HTTP, not HTTPS. Google offers HTTPS for free, but MobileMe costs $100 a year.

~John Gruber, Daring Fireball.net

Mr. Gruber brings up a very interesting point. Why would a company like Apple build a web service that’s not quite as secure as it could be?  HTTPS isn’t all that hard to implement and with security on everybody’s minds these days why not go the extra mile?   Especially for $100 damn dollars a year. Very interesting indeed…

~Brad

————————-

To take the counter on this, what can be gained by using HTTPS with the MobileMe apps? There is not financial or personal information transferred (other than contacts).  It is also never a good idea to pass personal information via email, such as your CC number, passwords, and the like. If you do, you’re an idiot. That is just simple personal security. Do you throw an unused CC in the garbage without cutting it up first? Me either, so why would you email personal information (even your SS# can be used to gain a line of credit against your belongings) that is covered by the privacy act of 1974 and should be treated the same as you would your financial information. It is just as easy for a passer by to dig through your trash as it is go gain access to your wireless network. I’m sure there is other information that you would not want leaked… I just can’t think of what it could be. My philosophy is to not email anything that I would not want published in the newspaper… or on this blog :)

~Jon

Apple | Comments | Trackback

Help support RantsAndStuff by using this link any time you purchase from Amazon.com

14 Responses to “Apple’s MobileMe Web Apps don’t use HTTPS”

  1. 1SP
    July 28th, 2008 @ 10:27 am

    I recently found out through personal experience that HTTP allows ISPs to mine email addresses and sell them. In this case a friend sent email from/to my yahoo account from Africa. The very next day I had 5 spam items from Africa. This would not be the case if it were HTTPS. So HTTPS is not just for credit cards etc., but your name, date of birth (from birthday wishes), your email address and other personal info. You have no idea how good a profile can be built up based on emails passing through a server- esp. if one could track it using a trapped email address!

  2. 2jon
    July 28th, 2008 @ 11:08 am

    As I stated in my post, personal information should not be used in email. However, information such as your name & DOB are public information and can be tracked without the need to snoop in email… such as you are in the Philly area. With just a little work I could find out who you are, your name, DOB, SS# through a credit check inquiry, get a loan in your name, all without the use of snooping in email. I believe it is best to be safe and to not pass personal info as I stated before.

    ~Jon

  3. 3James Katt
    July 28th, 2008 @ 11:18 am

    The lack of HTTPS is a HUGE problem.
    The reason is that MobileMe is supposed to do push email AND contacts AND calendar information.

    The contacts and calendar information may often include personal and private information.
    For example, it may contain your doctor’s name, people’s date of birth, private phone numbers, business contacts, clients, etc. These things are ripe for identity theft or business secrets theft, or privacy violations.

    MobileMe is suppose to be Microsoft Exchange for the rest of us. But Microsoft Exchange does things in a secure manner.

    As it is, if you run a business using your Mac, then you cannot use MobileMe because it transmits data insecurely.

    If you have personal and private information in your contacts and calendars, you cannot use MobileMe.

    This is sad then.

  4. 4jon
    July 28th, 2008 @ 11:42 am

    James, thanks for the comment. I still believe that there are far easier (legal) ways to get the same information about a person. I do not know off the top of my head, but I would like to see some stats on where email ranks in being responsible for identity theft, and of that, how much could have been prevented by being more cautious?

  5. 5Jonathan
    July 28th, 2008 @ 11:55 am

    My argument for needing HTTPS is simply that although people *shouldn’t* put personal information in email, etc., is that they still *do*. No, that doesn’t make it Apple’s problem, but most software companies are taking precautions these days anyway, for their users’ protection.

    At the same time, I usually take the stance that if somebody wants to find something out about me, they will whether I volunteer the information or not.

  6. 6Brad
    July 28th, 2008 @ 12:42 pm

    Thanks for the comments everyone. Hopefully we’ll have a forum up in the future for discussions like this.

    Sorry Jon, I’m going to stick to my guns on this one. My reasoning is, why not use HTTPS? Again, it can’t be hard to implement and James is right, if it’s supposed to be “Exchange like” then make it secure.

  7. 7ben
    July 28th, 2008 @ 3:30 pm

    I did a packet sniff and it appeared that the asynchronous information is sent SSL over port 443.

    With a web 2.0 page like this, isn’t it possible that the basic page template is non-SSL, but all asynchronous calls for data are done over SSL?

    In other words, are you guys SURE this isn’t secure, or are you just guessing because it doesn’t say https:// in the URL?

  8. 8jon
    July 28th, 2008 @ 3:45 pm

    That is very possible Ben. Thanks for doing the legwork and letting us know. I’d like to do a sniff when I get home today and I’ll look into it. Note that the source of the info was not from captures that we had performed. I also find it funny that if you are correct that no one else has caught it, that I am aware of, and that everyone assumed it to be true. Oh, the power of assumption.

    To back up the people who have posted comments, we haven’t actually argued the validity of the post yet, but why it is (or isn’t :)) important to pass some info via HTTPS.

  9. 9Brad
    July 28th, 2008 @ 3:55 pm

    The source of the info was from the article on Daring Fireball.net and was not verified by us. I simply gave my opinion on that post. We will try to conduct our own tests and update the post if necessary. Thanks for the heads up ben.

  10. 10Jonathan
    July 30th, 2008 @ 1:09 pm

    Good stuff to know – at least Apple is taking security into consideration, even if they do still leave email out. Now I’ll feel better about eventually buying a Mac when I’m able… :)

  11. 11Brad
    July 30th, 2008 @ 1:46 pm

    It’s still interesting to me though that they only use SSL on part of the site and not all of it. As some people have commented, it’s not just my password and credit card number that I want encrypted…

  12. 12John
    August 9th, 2008 @ 7:47 am

    There’s no need to use https/ssl with email. Why? email is more analogous to post cards than mail. Any sysadmin can read email that passes through his/her systems. If you want to protect email, you need to use digital certificates or PGP/GPG to encrypt the message.

    without proper encryption sensitive info should NEVER be sent via email.

  13. 13Jon
    August 9th, 2008 @ 10:09 pm

    Bwahahahaha… You can always count on someone named John/Jon to make some sense of a situation!

  14. 14Mike
    August 21st, 2008 @ 8:45 am

    The “trick” to use https instead of http, as said by the Apple help desk, does not work for me.com. No way to switch to https. So all confidential address book data and all confidential and personal calendar data is transferred unencrypted. Don’t use MobileMe until this is fixed!

    Regarding “ssl in the background” – this is not possible with AJAX, as it’s a different “domain” and prohibited by the browser.

Leave a Reply

  1.  
  2.  
  3.  
You can keep track of new comments to this post with the comments feed.

Search

Categories

Monthly Archives