Interesting People mailing list archives
iPhone and MobilMe syncing and encryption?
From: David Farber <dave () farber net>
Date: Mon, 28 Jul 2008 15:56:03 -0700
MobileMe is in my opinion a work just starting. It is buggy and restrictive. It seemed to be conceived to service simple users with just one computer. Lots of problems using it. They even screwed up the Exchange mechanisms , at least for me djf ________________________________________ From: Glenn Tenney CISSP CISM [gt-ip080725 () think org] Sent: Monday, July 28, 2008 5:31 PM To: David Farber Subject: iPhone and MobilMe syncing and encryption? ( for the IP list as you wish ) Before enabling syncing of calendar, contacts, and other data through MobileMe I'm trying to find an answer to the question: What data is, or is not, encrypted over the Net when syncing your calendar, contacts, email, or other application data between your desktop and iPhone through MobileMe. I've not been able to find anything completely definitive on Apple's web sites. I asked the Apple Support staff on the phoneline, and someone at a Genius bar and they didn't know either. For email, setting up an account on an iPhone allows an SSL setting for incoming mail only, not outgoing mail. The only other thing that I CAN find is that when using Exchange ActiveSync, SSL (and an enterprise certificate on your iPhone) is used for syncing to a corporate Exchange system (although, the Apple setup guide kb/HT2480 says " If it cannot do this, it will try a non-SSL connection.") So I did some simple tests: 1) With a browser going to http://www.me.com logging in uses https, but after that, everything is strictly http -- un-encrypted and in the clear... looking at your email, contacts, calendar, or even your iDisk. Trying to use https with me.com gives a page not found error. 2) Capturing packets with tcpdump while using iDisk on a Mac indicates that this uses http as well. tcpdump clearly shows the contents of files accessed from my iDisk being sent in the clear. So, it would seem that syncing data to/from MobileMe and an iPhone, or even with iDisk is being sent in the clear over the Net. Is enabling encryption an option that wasn't obvious? Or is encryption not even an option? What about applications that sync their data through MobileMe that are not calendar / contacts (e.g. OmniFocus) -- is that data sent in the clear too? Exchange ActiveSync on an iPhone might raise an interesting question... When an iPhone user wants to sync both Exchange and iCal contacts / calendars, this is only supported if you chose to sync your iCal through MobileMe and NOT through plugging in your iPhone via USB to iTunes. The interesting question is: is there any syncing through MobileMe of your Exchange contacts / calendars which would then put that data in the clear? Where on Apple's web site is there a description of what is and what is not encrypted when using MobileMe? If, as it seems from these brief observations, synced data is being sent in the clear, shouldn't Apple be advising iPhone users about this? I really am trying to find out what IS being encrypted here... to decide whether or how to sync data to my iPhone. Thanks -- Glenn Tenney CISSP CISM ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- iPhone and MobilMe syncing and encryption? David Farber (Jul 28)