Guys, has anyone noticed that MobileMe (www.me.com) is not SSL for email or contacts ? Is anyone concerned by this - I am pretty worried about my emails/contacts being accessible by man in the middle type attacks.

Guys, has anyone noticed that MobileMe (www.me.com) is not SSL for email or contacts ? Is anyone concerned by this - I am pretty worried about my emails/contacts being accessible by man in the middle type attacks.

Yup. Seems like a pretty major omission for a service that's specifically aimed at roaming users. Much as I'd love to switch all my "cloud" computing over to me.com, this is pretty much a deal-breaker as far as I'm concerned - guess I'll be sticking with gmail.

Imagine how much more MobileMe would've got screwed up at launch if it was all SSL :D

I was thinking this too and I wondered if the interface was unencrypted and all the "Web 2.0" goodness was done over SSL. But alas, Safari's activity menu shows it's all done unencrypted while the account area IS encrypted.

To not give an option is quite bad, since Google do for most of their services (I can understand why they don't send everyone over SSL by default - it would kill their servers most likely).

This is pure madness if you are in an unprotected Wifi-spot, omg, and the number of replies here show something even worse: people don't even care... :eek::eek::eek::mad:

Guys, has anyone noticed that MobileMe (www.me.com) is not SSL for email or contacts ? Is anyone concerned by this - I am pretty worried about my emails/contacts being accessible by man in the middle type attacks.
Bleh, I've been whining about this, here, for some time. Welcome to the club. :p

As far as I can tell, none of the web services are secure, except for the account services. However, it seems that non-web access to MobileMe can be secure. Synchronization (on the PC) appears to be secure, so that takes care of contacts and calendars (assuming, of course, that you've bought Outlook from Apple's competitor). Email access can be secure if you configure your client to use the secure mechanism:
IMAP: port 993, SSL
SMTP: port 587, TLS
Bottom line: if you only need contacts, calendar, and email, avoid the web interfaces, and you can be OK.

Mail just came up with this message out of the blue around 1 PM eastern:

I don't know what to click.....
http://att.macrumors.com/attachment.php?attachmentid=129033&stc=1&d=1218218350

I just got that, clicked Continue and nothing happened ... haven't been able to connect to email for about 15 minutes now.

I just came here to see if anyone else was having problems. Looks like I'm not alone

I'm getting the same issue, and e-mail isn't being pushed to my iPhone either.

Bleh, I've been whining about this, here, for some time. Welcome to the club. :p

As far as I can tell, none of the web services are secure, except for the account services. However, it seems that non-web access to MobileMe can be secure. Synchronization (on the PC) appears to be secure, so that takes care of contacts and calendars (assuming, of course, that you've bought Outlook from Apple's competitor). Email access can be secure if you configure your client to use the secure mechanism:
IMAP: port 993, SSL
SMTP: port 587, TLS
Bottom line: if you only need contacts, calendar, and email, avoid the web interfaces, and you can be OK.
SSL isn't working for me. I have had many intermittent issues with SSL over the last few months, both at home (on 2 computers) and at work. Apple really needs to get their act together.

MobileMe Status hasn't been updated but you can always find the latest on these issues at http://leblogdufailure.blogspot.com

Bleh, I've been whining about this, here, for some time. Welcome to the club. :p

As far as I can tell, none of the web services are secure, except for the account services. However, it seems that non-web access to MobileMe can be secure. Synchronization (on the PC) appears to be secure, so that takes care of contacts and calendars (assuming, of course, that you've bought Outlook from Apple's competitor). Email access can be secure if you configure your client to use the secure mechanism:
IMAP: port 993, SSL
SMTP: port 587, TLS
Bottom line: if you only need contacts, calendar, and email, avoid the web interfaces, and you can be OK.

I did not remember setting these values in Outlook but they are set that way. Maybe it is the default for IMAP Connections. Checked my iPhone and that is the automatic settings as well.

I guess another reason to avoid the MM Web Interface (which I do anyway).

Push email on my iPhone works, as does the MobileMe Website.
Mail.app can't connect to mail server...

UPDATE: It seems to be working now

This is pure madness if you are in an unprotected Wifi-spot, omg, and the number of replies here show something even worse: people don't even care... :eek::eek::eek::mad:

I care. I've been playing with the trial account and can say I have had zero problems with MobileMe (none that I really noticed anyway). I signed up under .mac just 2 days before the big switch.

Anyway, this lack of SSL on the webapps really makes no sense. They enabled it with the account management part. It really bugs me that a FOR-FEE service provided by a technology company doesn't bother to offer SSL.

I have a real problem - I love the photo gallery in mobileme. It's pefect for what I do (family stuff). But, I won't pay one penny without SSL. It's just stupid.

Yet one more thing you get for free from Google et al. that you don't get by paying Apple.

I have a real problem - I love the photo gallery in mobileme. It's pefect for what I do (family stuff). But, I won't pay one penny without SSL. It's just stupid.
Uh, as much as I like google, I don't think google's web albums (picasa) supports SSL, either.

Google supports SSL for some things, but not others.

Uh, as much as I like google, I don't think google's web albums (picasa) supports SSL, either.

Google supports SSL for some things, but not others.

For the writing of files, they should (at least the logon process). It's the logon that needs the encryption the most. With mobile me, it doesn't matter if you're logging in for mail or to upload photos...it's one unified logon that should be protected.

Has anyone mentioned this to them via the support chat?

For the writing of files, they should (at least the logon process). It's the logon that needs the encryption the most. With mobile me, it doesn't matter if you're logging in for mail or to upload photos...it's one unified logon that should be protected.
Well, the MM web logins do appear to be secure, although everything afterword seems to be unencrypted, except for the account settings. I assume that google's logins are also secure, but I don't know that for a fact (gmail and reader can be secure -- don't know about anything else).

Well, the MM web logins do appear to be secure, although everything afterword seems to be unencrypted, except for the account settings. I assume that google's logins are also secure, but I don't know that for a fact (gmail and reader can be secure -- don't know about anything else).

You're right...I was too stupid to notice. the logon does use ssl. Well...I'll stop my bitching now. :D Although I do wish iDisk used encryption for uploads and downloads for the non-public directories.

I noticed this right away:

http://forums.macrumors.com/showthread.php?t=518376

Although, I hadn't setup mobileme with a desktop mail client yet. I just did because someone claimed imap ssl (port 993) worked. In fact, it does :D Thanks for the heads up on that.

Anyway, yea, of course login and account management is ssl. That's been web 101 for some time. None of the web apps being ssl is just dumb though. I realize google does the same thing with the gmail web interface, but that's not an excuse.

These are all consumer services, sure, but that doesn't mean I'm not just as concerned about privacy as businesses are. I don't know about you guys, but I want to know that my private data is traveling across the internet encrypted!

Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 2_0_1 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5B108 Safari/525.20)

Well, the MM web logins do appear to be secure, although everything afterword seems to be unencrypted, except for the account settings. I assume that google's logins are also secure, but I don't know that for a fact (gmail and reader can be secure -- don't know about anything else).

You're right...I was too stupid to notice. the logon does use ssl. Well...I'll stop my bitching now. :D Although I do wish iDisk used encryption for uploads and downloads for the non-public directories.

How about using Encrypted ZIP files for iDisk backup or shared storage?

You're right...I was too stupid to notice. the logon does use ssl. Well...I'll stop my bitching now. :D Although I do wish iDisk used encryption for uploads and downloads for the non-public directories.
Well, vista can use https for idisk access, and so I assume that OS X can, too, but I don't know how.

How about using Encrypted ZIP files for iDisk backup or shared storage?
Well, you can do that, but aren't encrypted zip files pretty insecure, too?

You're probably better off using truecrypt or gpg.

Well, you can do that, but aren't encrypted zip files pretty insecure, too?

You're probably better off using truecrypt or gpg.

Not if you use the STRONG AES Encrypted ZIP Files. New for PKZIP and WinZip for the last 3-5 years (not sure exactly when it came out. The older encryption (which is what I think you are talking about) was not that strong.

However, when I wrote that I was't thinking that you can use SSL for iDisk. At least I can on Windows Network Drive. I am on Vista. So if you have no need to make the files smaller you can just use SSL.

The built-in idisk connection on Mac (the pretty purple icon) uses http. To get https you have to map it via Finder like any other network share.

So, I guess I'm set. I'll let my trial run and pay for it near the end.

Silly that Apple doesn't default to https with the built-in idisk mapping

Has anyone mentioned this to them via the support chat?

Yes, the transcript is here:
http://www.rantsandstuff.com/2008/07/28/apples-mobileme-web-apps-dont-use-https/

Hey everyone, appleinsider is reporting that ssl doesn't matter at me.com! I posted a comment about their article:

http://forums.appleinsider.com/showthread.php?p=1293874#post1293874

Hey everyone, appleinsider is reporting that ssl doesn't matter at me.com!
Meh.

I think that article is so full of fail, that it's not worth responding to it.

Meh.

I think that article is so full of fail, that it's not worth responding to it.

Its a good article, and the iPhone and MobileMe series of articles they've been doing are actually very good in my opinion. What's so bad about the article?

Hey everyone, appleinsider is reporting that ssl doesn't matter at me.com! I posted a comment about their article:

http://forums.appleinsider.com/showthread.php?p=1293874#post1293874
It doesn't matter on the me.com website with the web applications but it does matter when you are using another mail client (Apple Mail, Mail on the iPhone, etc).

What's so bad about the article?
Unbelievably bad security info, in my opinion.

It doesn't matter on the me.com website with the web applications but it does matter when you are using another mail client (Apple Mail, Mail on the iPhone, etc).
I think you have that backwards: the me.com website doesn't appear to have security for most pages (logging in and account settings being the exceptions that I know about). I believe the mail clients can be secure, but I do not know if the default settings make them secure (you may have to change settings to make them secure).

I think you have that backwards: the me.com website doesn't appear to have security for most pages (logging in and account settings being the exceptions that I know about). I believe the mail clients can be secure, but I do not know if the default settings make them secure (you may have to change settings to make them secure).
By default, when configuring a MobileMe account in Apple Mail or iPhone Mail, your account is configured to use SSL. The reason why the me.com web applications do not require SSL is that things are secured on a lower level (through the SproutCore JavaScript engine and JSON authentication).

By default, when configuring a MobileMe account in Apple Mail or iPhone Mail, your account is configured to use SSL. The reason why the me.com web applications do not require SSL is that things are secured on a lower level (through the SproutCore JavaScript engine and JSON authentication).
Umm, I don't know if that is how things are "supposed to work, but doesn't" (you never know with MM :D ), or if it's just wrong, but:
If you use a lan analyzer, you can clearly see that your MM webmail is not encrypted. If you use a public wifi point, any bad guys around you can see your email. (And, yes, I just re-verified this.)

And that's the acid test: if anyone can use a trivial lan analyzer and see their email, then anyone else could possibly do so, too.

Also, to be secure, SSL would have to be used at some point. I think people are getting confused by the fact that an apparently unencrypted page (http) can use SSL behind the scenes, and that fact may not be apparent to the user. It may appear that SSL is not being used, but it can be.

By default, when configuring a MobileMe account in Apple Mail or iPhone Mail, your account is configured to use SSL. The reason why the me.com web applications do not require SSL is that things are secured on a lower level (through the SproutCore JavaScript engine and JSON authentication).

I can tell you don't know what you're talking about and instead are just repeating what you heard or read somewhere. For one thing, a javascript library is not "lower level" than protocol encryption like ssl.

Anyway, this is exactly my point. If you look at the http requests and responses made when browsing around the me.com web apps you'll clearly see that all json requests and responses are NOT using ssl. They are all normal http requests and responses. Furthermore, there is no encryption being performed by the sproutcore library, and even if there was it would be completely useless, cause someone could still capture your requests and decrypt it!

FYI, I pointed out in a previous post that apple does provide imap with ssl. So yea, normal desktop apps can use ssl, which is wonderful :) Here though, we're talking about the me.com apps, which are completely open to man in the middle attacks that can snoop and steal your private data.