MobileMe Web Interface Insecure, But Other Apps Get It Right

On 21-Aug-2008, at 08:41, LewisGmail wrote:
>> while Google only recently added complete-session SSL to Gmail as an
>> option.
>
> That's not exactly true. It was always possible to have a complete-
> session SSL connection to gmail, you just had to specifically load https://gmail.google.com
> and your connection would be SSL and it would STAY SSL. What gmail
> added was an option to your account to force SSL to always be enabled
> on your account, regardless of how you login.

Oh, and I do want to add that enabling this option does make gmail
MUCH slower, even on a very fast 15mbit connection.

I don't use MobileMe in any form, but it could be that the JSON calls
(essentially RPC calls using JavaScript-formatted data objects) could
be made over SSL while the UI is not. If that's the case, then the
data that actually matters would be encrypted, while the non-critical
stuff like the buttons and widgets would not.

One of the primary reasons that people use JSON over something like
the RPC that gwt uses is that it allows you to make calls to servers
other than the one from which the pages originated.

This is all speculation of course -- I'm not willing to pay $100 a
year for services that don't have any value if you don't use an iPhone
(and I don't -- I have a 3.5G Nokia E71 that I love).

The article is a bit unfair in excusing Yahoo and Hotmail due to being "free" unlike MobileMe. MobileMe is more than Webmail, it's push mail to an iPhone, it's IMAP to an email client, and many more non-email related services.

If you want IMAP from Yahoo or Hotmail to your desktop, then they too are paid services and by the article's tone should offer SSL webmail.