“Prince McLean” writing for AppleInsider on the security of the new MobileMe web apps:
Update: Jesse Hollington claims that SSL encryption is only used for reading, and that writes are sent from the browser to me.com in the clear. And I’ll mention again that with Gmail and Google Calendar, you get SSL for free — I can’t see how there’s any excuse for MobileMe not to at least offer the option of using SSL for everything.
Update 2: Looking at traffic with tcpdump, it appears to me that nothing other than your initial authentication/login is encrypted. All the XMLHttpRequest data, both reads and writes, appears to be sent as gzip-compressed plain text. This is not secure at all.
★ Sunday, 17 August 2008