MobileMe Security Continued…

My thoughts exactly:


Reading my post below, I stated MobileMe uses SSL with login and account settings.  Compare that to this statement from AppleInsider:
“Data transaction security in MobileMe’s web apps is based upon authenticated handling of JSON data exchanges between the self contained JavaScript client apps and Apple’s cloud, rather than the SSL web page encryption used by HTTPS. The only real web pages MobileMe exchanges with the server are the HTML, JavaScript, and CSS files that make up the application, which have no need for SSL encryption following the initial user authentication. This has caused some unnecessary panic among web users who have equated their browser’s SSL lock icon with web security. And of course, Internet email is not a secured medium anyway once it leaves your server. 
“If Apple applied SSL encryption in the browser, it would only slow down every data exchange without really improving security, and instead only provide pundits with a false sense of security that distracts from real security threats.”
If, by this statement, the entire session is secure, why does the Account Settings tab use SSL?  Why would they need it?  This whole MobileMe ordeal continues to leave a bad taste in my mouth.

Comments