Apple + Security & Privacy

MobileMe had a rocky launch, and now a security weakness is being brought to light that shows that MobileMe’s web interface does not provide adequate security. Rich Mogull, writing at TidBITS, explains the problem: “although your initial login to MobileMe is encrypted, the rest of your session is transmitted in plain text. If anyone on your network decides they want to sniff your connection and read your email, there’s nothing to stop them.”

In addition, Apple’s handling of user authentication has another weakness: “the secure authentication page points to auth.apple.com while the rest of MobileMe uses the domain me.com. By breaking the bond between the digital certificate used by SSL to verify a domain, and the domain where most of the interaction takes place, users are vulnerable to redirection attacks as highlighted by the recent DNS vulnerability.”

Nevertheless, Mogull says that one shouldn’t worry too much. “While there’s a reasonable, if small, risk someone might sniff your connection when you are out in public, the odds of a redirection attack are extremely low.” But Apple will have to address these issues soon, along with the many other problems of MobileMe.