Jens Alfke on MobileMe Web App Security

Jens Alfke, regarding the security of Apple’s MobileMe web apps:

The most glaring problem is that, since the main page resource (HTML and JavaScript) aren’t loaded over SSL, there’s no way to tell whether they’re genuine. By now everyone ought to be aware of DNS forgery attacks; if the coffeeshop where you’ve gone online has an infected WiFi router, it would be nice to know whether its DNS record for “me.com” points to Apple’s servers or to a phishing site. But without SSL there’s no way to tell. Obviously, if you’ve loaded a hacked forgery of me.com’s web-app, any assurances made about “authenticated handling of JSON exchanges” are completely pointless, because your JSON exchanges are probably going straight to a pwned server in Uzbekistan.

Monday, 18 August 2008