Comments on: Apple’s MobileMe Web Apps don’t use HTTPS

By: Mike

Mike — Thu, 21 Aug 2008 13:45:05 +0000

The “trick” to use https instead of http, as said by the Apple help desk, does not work for me.com. No way to switch to https. So all confidential address book data and all confidential and personal calendar data is transferred unencrypted. Don’t use MobileMe until this is fixed!

Regarding “ssl in the background” – this is not possible with AJAX, as it’s a different “domain” and prohibited by the browser.

By: Jon

Jon — Sun, 10 Aug 2008 03:09:22 +0000

Bwahahahaha… You can always count on someone named John/Jon to make some sense of a situation!

By: John

John — Sat, 09 Aug 2008 12:47:16 +0000

There’s no need to use https/ssl with email. Why? email is more analogous to post cards than mail. Any sysadmin can read email that passes through his/her systems. If you want to protect email, you need to use digital certificates or PGP/GPG to encrypt the message.

without proper encryption sensitive info should NEVER be sent via email.

By: Brad

Brad — Wed, 30 Jul 2008 18:46:05 +0000

It’s still interesting to me though that they only use SSL on part of the site and not all of it. As some people have commented, it’s not just my password and credit card number that I want encrypted…

By: Jonathan

Jonathan — Wed, 30 Jul 2008 18:09:12 +0000

Good stuff to know – at least Apple is taking security into consideration, even if they do still leave email out. Now I’ll feel better about eventually buying a Mac when I’m able… :)

By: Brad

Brad — Mon, 28 Jul 2008 20:55:37 +0000

The source of the info was from the article on Daring Fireball.net and was not verified by us. I simply gave my opinion on that post. We will try to conduct our own tests and update the post if necessary. Thanks for the heads up ben.

By: jon

jon — Mon, 28 Jul 2008 20:45:33 +0000

That is very possible Ben. Thanks for doing the legwork and letting us know. I’d like to do a sniff when I get home today and I’ll look into it. Note that the source of the info was not from captures that we had performed. I also find it funny that if you are correct that no one else has caught it, that I am aware of, and that everyone assumed it to be true. Oh, the power of assumption.

To back up the people who have posted comments, we haven’t actually argued the validity of the post yet, but why it is (or isn’t :)) important to pass some info via HTTPS.

By: ben

ben — Mon, 28 Jul 2008 20:30:06 +0000

I did a packet sniff and it appeared that the asynchronous information is sent SSL over port 443.

With a web 2.0 page like this, isn’t it possible that the basic page template is non-SSL, but all asynchronous calls for data are done over SSL?

In other words, are you guys SURE this isn’t secure, or are you just guessing because it doesn’t say https:// in the URL?

By: Brad

Brad — Mon, 28 Jul 2008 17:42:51 +0000

Thanks for the comments everyone. Hopefully we’ll have a forum up in the future for discussions like this.

Sorry Jon, I’m going to stick to my guns on this one. My reasoning is, why not use HTTPS? Again, it can’t be hard to implement and James is right, if it’s supposed to be “Exchange like” then make it secure.

By: Jonathan

Jonathan — Mon, 28 Jul 2008 16:55:15 +0000

My argument for needing HTTPS is simply that although people *shouldn’t* put personal information in email, etc., is that they still *do*. No, that doesn’t make it Apple’s problem, but most software companies are taking precautions these days anyway, for their users’ protection.

At the same time, I usually take the stance that if somebody wants to find something out about me, they will whether I volunteer the information or not.