MobileMe: Apple Apologizes Again

It started innocently enough. Prince Mclean over at Apple Insider commented in passing:

Data transaction security in MobileMe’s web apps is based upon authenticated handling of JSON data exchanges between the self contained JavaScript client apps and Apple’s cloud, rather than the SSL web page encryption used by HTTPS. The only real web pages MobileMe exchanges with the server are the HTML, JavaScript, and CSS files that make up the application, which have no need for SSL encryption following the initial user authentication. This has caused some unnecessary panic among web users who have equated their browser’s SSL lock icon with web security. And of course, Internet email is not a secured medium anyway once it leaves your server.
If Apple applied SSL encryption in the browser, it would only slow down every data exchange without really improving security, and instead only provide pundits with a false sense of security that distracts from real security threats.

And the web went wild. Daniel Eran Dilger, took the crown off to retort them all over at Roughly Drafted:

For the record: Apple’s MobileMe desktop email can be secured via encrypted SMTP and IMAP; Apple presents details on how to ensure this is set up, as users may not have this enabled by default. Address Book and iCal sync on Mac OS X is secured automatically when it transacts with Apple’s server cloud. Windows apps use the same security when syncing their data via Outlook through iTunes for Windows. The iPhone and iPod touch also support encrypted email and all push messages are also secured via encryption.

Our take? If you're super sensitive about your data, only ever browse via SSL over a VPN while sending with a strong PGP key, and hope no intelligence service is willing to spend serious money and assets on snooping in your general direction.

Other than that, use common sense. Don't risk information you can't afford getting out, and take advantage of every security feature your chosen system implements.