Re: MobileMe: http not https?

Er...http? Not https? Seems a little slack doesn't it?

Taken from http://www.appleinsider.com/articles/08/08/15/inside_mobileme_web_3_and_web_client_server_apps.html

What

No SSL?
Data transaction security in MobileMe's web apps is based upon authenticated handling of JSON data exchanges between the self contained JavaScript client apps and Apple's cloud, rather than the SSL web page encryption used by HTTPS. The only real web pages MobileMe exchanges with the server are the HTML, JavaScript, and CSS files that make up the application, which have no need for SSL encryption following the initial user authentication. This has caused some unnecessary panic among web users who have equated their browser's SSL lock icon with web security. And of course, Internet email is not a secured medium anyway once it leaves your server.

If Apple applied SSL encryption in the browser, it would only slow down every data exchange without really improving providing perfect security, and instead present what could be a false sense of security that distracts from real security threats.

One other advantage held by MobileMe in terms of security is that Apple runs the entire show. There's no third party ads being injected into Apple's MobileMe apps, no external scripts introducing search results, alerts, or buddy lists that could potentially intercept secure transactions with the server, nor any opportunities for Adobe Flash, Microsoft's Silverlight, or other potentially vulnerable plugins to expose unforeseen security threats. A simplified trust relationship equates to stronger security.

.

Relevant Pages

  • [NT] Microsoft SSL Library Remote Compromise Vulnerability (MS04-011, Exploit)
    ... Get your security news from a reliable source. ... condition in the Microsoft Secure Sockets Layer (SSL) library. ... the PCT 1.0 protocol is disabled by default. ...
    (Securiteam)
  • [fw-wiz] Help- Nat-t
    ... Security of HTTPS ... > Is there some possibility of a MITM attack? ... HTTPS relies on SSL / TLS. ...
    (Firewall-Wizards)
  • Re: SSL Overhead?
    ... encryption - this is useless if there is a backdoor wide open. ... mention the fact that SSL has security issues as well. ... SSL systems. ... Try using regular TCP to send the data. ...
    (microsoft.public.dotnet.framework.compactframework)
  • Re: [fw-wiz] The Outgoing Traffic Problem --
    ... technology known as secure sockets layer, ... technology to break into computers, and they can use the same technology ... actually hire folks with clues and/or experience to do security postureing ... No SSL Firewalls!!!!! ...
    (Firewall-Wizards)
  • Net security software exposed
    ... The most commonly used security system to protect passwords over the ... A team at the Federal Institute for Technology in Lausanne said they had ... "It is the first time we have noticed a security problem in the SSL protocol ... SSL works by encrypting a password or credit card number, ...
    (sci.crypt)