matt ryall’s weblog

Getting a point across since 2002.

Site

Portrait of Matt Ryall

 

About me

Feed icon Articles feed

Feed icon Comments feed

Archive

Photography

Europe trip 2004

More photos

Software

NoteWiki

Other Pages

About Me

Uni timetable

SysProg Journal

The List

MobileMe doesn’t use SSL but don’t worry

18 August 2008

There’s been a bit of a ruckus recently over MobileMe not encrypting its pages. Allegedly, this leaves your email open to abuse by all the internet’s miscreants.

Fortunately, this just isn’t the case. MobileMe using SSL (the ‘S’ in HTTPS) would only protect your data while it is being transmitted to and from the server. And contrary to popular belief, this is among the least likely avenues for a potential attacker to try to get your data.

Much more likely attacks for stealing personal data such as email would involve:

  • exploiting a vulnerability in the client system to get control of or information from the system
  • exploiting one’s tendency to open links in email via a phishing scam
  • exploiting one’s tendency to use open wifi networks via a malicious redirection scheme on an open wifi network
  • exploiting bugs in the application on the server to get access to unauthorised or administrative areas
  • exploiting lax security at Apple to get the information (if the attacker was an employee).

None of these problems are solved by SSL. (And to be honest, who really wants to read your email anyway? You don’t use the same password for your bank account, right?)

For more information on how SSL doesn’t actually solve most internet security problems have a read of these articles:

[ Next: Muxtape pulled down by RIAA | Previous: Don’t talk to the police ]
 
Re: MobileMe doesn’t use SSL but don’t worry
Posted by Chris Broadfoot at 2008-08-18 23:47:47
I’m not sure about specifics, but the other reason why I use SSL for GMail (not just login) is so that a MITM attack wouldn’t leave the cookie out in the open
 
Re: MobileMe doesn’t use SSL but don’t worry
Posted by Matt Ryall at 2008-08-19 07:47:53
That means you use it for transport encryption, Chris. But without authentication via certificates — or knowing who the other end of the connection is — you can’t be sure that you’re sending the data to the right person.

It could just look like Gmail, but is actually a site set up by a phisher/wifi scammer/etc.
 
Re: MobileMe doesn’t use SSL but don’t worry
Posted by BartVB at 2008-08-29 15:55:28
Sure, there are easier/more effective ways to attack your average user. And indeed, your average user is not very likely to get an attack that’s aiming to uncover on what night Joe Average is going bowling.

But IMO that’s not the point. The point is that _I_ want to keep my data as secure as possible and sending all my calendar and contact information in the clear over the public internet is not my idea of secure. With SSL I can check if I’m really talking to me.com It’s not rocket science to check a SSL connection if you have a tiny bit of computer knowledge. It might not help Joe Average who will happily click ‘Allow’ but it would definitely help me.

Using SSL is not an end all, be all solution but it would be much, much, much better than the current situation where I don’t even have the option to encrypt all that private data. There are always ways to break any form of security but Apple should at least try to provide some form of it. If you extrapolate your argument you could say that Apple could also drop this whole password thing because passwords are annoying to remember and it takes more time to login if you have to enter that password all the time?

IMO stating that Apple is doing The Right Thing(tm) in this case is, well, rather strange :)
 

Comments on this article have been closed.