18 August 2008

MobileMe doesn’t use SSL but don’t worry

There’s been a bit of a ruckus recently over MobileMe not encrypting its pages. Allegedly, this leaves your email open to abuse by all the internet’s miscreants.

Fortunately, this just isn’t the case. MobileMe using SSL (the ‘S’ in HTTPS) would only protect your data while it is being transmitted to and from the server. And contrary to popular belief, this is among the least likely avenues for a potential attacker to try to get your data.

Much more likely attacks for stealing personal data such as email would involve:

  • exploiting a vulnerability in the client system to get control of or information from the system
  • exploiting one’s tendency to open links in email via a phishing scam
  • exploiting one’s tendency to use open wifi networks via a malicious redirection scheme on an open wifi network
  • exploiting bugs in the application on the server to get access to unauthorised or administrative areas
  • exploiting lax security at Apple to get the information (if the attacker was an employee).

None of these problems are solved by SSL. (And to be honest, who really wants to read your email anyway? You don’t use the same password for your bank account, right?)

For more information on how SSL doesn’t actually solve most internet security problems have a read of these articles: