I was trying to explain security differences between webmail pages in a discussion with colleagues recently.
I set up a trial .mac mail account and used my existing gmail account for comparison.
I was shocked to discover that the .mac webmail login page isnt even a secure page (https://). The web address is http://www.mac.com/WebObjects/Webmail.woa/689.
Now if you change http:// to https:// it redirects back to the http://. This is confusing because the .mac security policy clearly says “When you log in, .Mac uses industry-standard SSL encryption to protect the confidentiality of your member name and password.”
So apparently the SSL connection is only for the authentication process, not the actual page itself. This is an unfavorable process from a security perspective.
Google’s Gmail loads for me by default https://google.com/accounts/…
Both webmail pages do return an http:// after login SSL though.
So why do people pay for .Mac mail (a hefty price at that) when it is proven that .Mac mail isnt as secure as gmail, or other readily available email services via the web interface?
A better question is why in the hell does Apple support SSL through the Mail client (Apples own email client), but not through the web interface?
Are the Apple cult consumers really this blind and ignorant?
Does any apple supporter or advocate actually care about the integrity and quality of Apples products?
This is very poor form by Apple.
Subscribe to notquiteleet
I hope your colleagues don’t rely on your advice because you don’t know what you’re talking about.
The form itself is on a page accessed by an http URL, as you correctly point out, but you’ve assumed that your login details are sent back to that URL. They are not.
An HTML form has two properties that define how the form is sent to the server, a “method” and an “action.” The method is how the form is sent, it’s either sent with a POST, where the contents of the form are enclosed in the content of the message, or with a GET where the contents of the form are encoded in to the URL. The form’s action property specifies the URL where the form contents should be sent.
In this case, the form is sent to an https (secure) URL.
Your user name and password are sent securely.
To verify, view the source code of the URL you mention and search for “post”. The second form on the page is the webmail login form, and it’s action URL is an https (secure) URL.
If someone was monitoring the data travelling between you and Apple’s servers, they would only see an empty form.
Mark on August 28th, 2007 at 3:48 am | Link
For one to proclaim someone else doesnt know what they are talking about you surely missed the mark.
What your post describes is the exact method listed in the security policy and applies AFTER you click ‘login’. User/Pass is sent securely when you login, hence during the authentication process, again as the security policy notates.
However if I am sniffing your traffic, since the page is not secure (https) I see your Username and Password since there is no default SSL connection from the webmail server to your computer. Thats why it is not as “secure”.
Improve your reading comprehension before trying to take a swing like that. kkthxbai.
notquiteleet on August 28th, 2007 at 5:30 am | Link
notquiteleet said:
[quote]”However if I am sniffing your traffic, since the page is not secure (https) I see your Username and Password since there is no default SSL connection from the webmail server to your computer. Thats why it is not as “secure””[/quote]
That’s just it … you don’t see the user name and password because the form is submitted via SSL. The password is never sent unencrypted. The authentication - the sending of the password - is done via SSL. The form is shown by an http page but its contents are sent securely to an https URL.
I read and re-read your original post carefully before posting and came to the conclusion that you believed that because the form was on an http (non-SSL) page that it was less secure than Google. You’ve just confirmed that that’s your belief with your comment.
I’ve now run a packet sniffer during login to .mac and sure enough my password is never sent cleartext (unencrypted).
Mark on August 28th, 2007 at 6:29 am | Link
Your previous commentors are tearing you a new one. All non-essential information is delivered via http for performance reasons. Ever use tcpflow? Try snooping port 443 when logging in, and observe Apple’s use of ssl before spouting off. When does the apology piece come out?
tom on August 28th, 2007 at 7:15 am | Link
Before you guys go any further with this, can tom, Mark or anyone else for that matter offer any sensible reason as to why gmail and yahoo have secure login pages and .mac accounts do not?
recap: Apple has a secure web login for .Mac mail … gmail and Yahoo also have this, however they secure your login by securing the whole page, not just the login part (I assume). So in theory, while the Apple webpage is not secure, however that same page allows for secure login to your mail.
in summary - all 3 sites are secure for logins… Apple, gmail and Yahoo.
The only other thing I would point out is you can use Apple’s Mail.app - which bypasses the whole issues… I would imagine any POP3 mail client could connect to .Mac mail… I’m guessing gmail could work this way too… but I would also guess Yahoo might not…
drx1 on August 28th, 2007 at 8:05 am | Link
To add to my previous post I want to point out one more thing from the article I just linked.
Although the initial Gmail web page does not have your userid/password in it, it does have one piece of important information that you do want secured: the address (URL) of the web page that will accept, validate and process the userid/password that you enter. Theoretically, if the web page into which you enter a userid/password was sent to you via HTTP, it could have been intercepted and modified along the way. A bad guy could have changed the URL that validates the userid/password to one of his own making.
Again, notquiteleet’s security concern is correct and valid.
Morris on August 28th, 2007 at 9:32 am | Link
What is with the $99.95 error?
.Mac only costs $79.99 per year - (or less if you shop around)
http://www.amazon.com/Apple-Mac-4-0-Online-Service/dp/B0007LW230
This article if full of lies it seems.
OS11
-
OS11 on August 28th, 2007 at 9:58 am | Link
OS 11,
The advertised price for .mac is 99.95 found on Apples website at:
http://store.apple.com/1-800-MY-APPLE/WebObjects/AppleStore.woa/wa/RSLID?mco=24627F88&nplm=MA927Z/A
There is no error.
Thanks.
notquiteleet on August 28th, 2007 at 10:09 am | Link
OS11 said:
[quote]What is with the $99.95 error?
.Mac only costs $79.99 per year - (or less if you shop around)
http://www.amazon.com/Apple-Mac-4-0-Online-Service/dp/B0007LW230
This article if full of lies it seems.
OS11
-[/quote]
So you found a price that was lower somewhere else and that supports the notion that the article is full of lies? Does that mean every time I read a review for a new automobile that quotes msrp, for example, that if another dealer offers me a lower price the review was full of lies???
I thought I’d also point out that you get much more for your $99.99 (or $79.99, or whatever) per year than just the email service.
Lyle on August 28th, 2007 at 10:38 am | Link
Lyle said:
[quote]I thought I’d also point out that you get much more for your $99.99 (or $79.99, or whatever) per year than just the email service.[/quote]
I don’t use .mac, so I don’t know how it works. I was wondering if the same login security issues discussed here (whether they turn out to be true or false) are involved with those other services, too. Not flaming, just curious.
@Lyle, yes much more, and all of it, including 10GB of your most precious files all accessible from an insecure login page.
Lyle,
Gmail users are also seeing 10GB storage quotas now so there really isnt much of an advantage to .Mac.
Factor in Googles other services and there isnt much of a motive to pay 100 bucks a year for .Mac.
notquiteleet on August 28th, 2007 at 11:09 am | Link
mr.squeaky said:
[quote]What is with the $99.95 So you found a price that was lower somewhere else and that supports the notion that the article is full of lies? Does that mean every time I read a review for a new automobile that quotes msrp, for example, that if another dealer offers me a lower price the review was full of lies???[/quote]
what? It’s COMMON knowledge .Mac does NOT cost $99, the author was clearly trying to mislead his audience by using a fictitious cost in his “headline”, in an attempt to “mislead”.
.Mac costs anywhere from $65 to $89 depending on where you shop, you would have had to jump through some massive hoops to pay $99.95.
He was caught in a 2nd lie, that’s all.
-
OS11 on August 28th, 2007 at 11:31 am | Link
OS11,
Put the pipe down, go to Apples website, click on store, then .mac. A single user license is 99.95.
Thanks.
notquiteleet on August 28th, 2007 at 11:35 am | Link
techniclutz said:
[quote]Before you guys go any further with this, can tom, Mark or anyone else for that matter offer any sensible reason as to why gmail and yahoo have secure login pages and .mac accounts do not?[/quote]
Maybe they don’t have as many servers as google and yahoo and want to cut down on traffic bandwidth by only using SSL on the username and password part of the page. The main point is that Mark and Tom HAVE proven that it is SECURE.
If you still are scared, then don’t use .Mac.
Hammer of Truth on August 28th, 2007 at 11:44 am | Link
notquiteleet said:
[quote]Lyle,
Gmail users are also seeing 10GB storage quotas now so there really isnt much of an advantage to .Mac.[/quote]
What?????????
Storage quota is only one “t i ny” part of .Mac. Can you mount your Google Hard Drive onto any PC or Mac on the Planet? Nope! With .Mac you can.
Can you sync all your Bookmarks, Address Book, eMail preferences? with Google. Nope!
Can you publish Webpages, iPhotopages, iMovies directly from iLife to Google? Nope!
I think the bottom line is authors such as “thebiggestcomplaint”, don’t know the “littlest about .Mac”, so this article is a pure farce.
Learn a little will you?
http://www.mac.com/WebObjects/Welcome
–
OS11 on August 28th, 2007 at 11:48 am | Link
@Hammer and the guy that was sniffing his own packets, why don’t you guys try the method preferred by most 12 year old hackers and intercept the page before it gets to the user, change the form, phish out the info and redirect them back to .Mac?
It’s a win-win situation. You get their vital login information and the user feels all warm and fuzzy because they landed on a “secure” page after login.
phish-in-a-barrel on August 28th, 2007 at 11:50 am | Link
notquiteleet said:
[quote]OS11,
Put the pipe down, go to Apples website, click on store, then .mac. A single user license is 99.95.
Thanks.[/quote]
What pipe?
I’m just thinking more clearly than you, the audience or the author.
He only quoted Apple’s FULL retail price, not the REGULAR purchase price so put down the “ignorance” and check into the ACTUAL price, not the “raw retail” price the author wants you to make believe.
NOBODY buys at full retail in the computer world, .Mac is routinely given away or sold for $65 if you buy a machine. $69 is the “average” price of .Mac… NOT $99.95.
Go to the Rolls Royce site, isn’t it interesting that the prices listed are 35% higher than the ACTUAL price of the same model, same exact specs?
I smell a fake article, and it is titled: $99.95 .Mac Email - Not Secure -
Oops! Author WRONG on 2 counts, within the SAME HEADLINE.
Learn how to write is all I’m asking.
-
OS11 on August 28th, 2007 at 12:02 pm | Link
[quote]OS11,
Put the pipe down, go to Apples website, click on store, then .mac. A single user license is 99.95.
Thanks.[/quote]
He only quoted Apple’s FULL retail price, not the REGULAR purchase price so put down the “ignorance” and check into the ACTUAL price, not the “raw retail” price the author wants you to make believe.
NOBODY buys at full retail in the computer world, .Mac is routinely given away or sold for $65 if you buy a machine. $69 is the “average” price of .Mac… NOT $99.95.
Go to the Rolls Royce site, isn’t it interesting that the prices listed are 35% higher than the ACTUAL price of the same model, same exact specs?
I smell a fake article, and it is titled: $99.95 .Mac Email - Not Secure -
Oops! Author WRONG on 2 counts, within the SAME HEADLINE.
Learn how to write is all I’m asking.
-[/quote]
So then are you saying the full retail price is not what .Mac is sold at? In your example of the 65 dollar price of .Mac it requires you to buy a machine, thus the cost of .Mac is a computer + $65.00, much more than $99.95.
Please grow up. I used to work for Apple, I know how much the stuff costs, advantages, disadvantages, and selling points of their products.
GG Fanboy’s …
Somehow we went from “is Apple’s .Mac Mail Secure” to “You Can Get .mac Accounts for Less Than the Price Advertised on Apple’s Website,” which didn’t really answer the question posed.
Would everybody be happy if it was “My Biggest Complaint About Apple’s $69.95 .Mac Email - Not Secure?”
The price really doesn’t have much to do with how secure it is.
notquiteleet said:
[quote]So then are you saying the full retail price is not what .Mac is sold at? In your example of the 65 dollar price of .Mac it requires you to buy a machine, thus the cost of .Mac is a computer + $65.00, much more than $99.95.
Please grow up. I used to work for Apple, I know how much the stuff costs, advantages, disadvantages, and selling points of their products.
.[/quote]
I’m saying NOTHING of the sort… .Mac simply DOES not COST $99.95, average is around $69… that is a raw FACT.
You just need to learn how to shop.
ASIN: B0007LW230
Item model number: MA361Z/A
If you don’t understand how the web works, that’s not my fault, I worked and (still do) for Apple and tied of people posting false reports. Lots of people INSIDE apple are wrong on prices, I happen to be not one of them.
Learn a little will you?
-
OS11 on August 28th, 2007 at 12:28 pm | Link
[quote]So then are you saying the full retail price is not what .Mac is sold at? In your example of the 65 dollar price of .Mac it requires you to buy a machine, thus the cost of .Mac is a computer + $65.00, much more than $99.95.
Please grow up. I used to work for Apple, I know how much the stuff costs, advantages, disadvantages, and selling points of their products.
.[/quote]
I’m saying NOTHING of the sort… .Mac simply DOES not COST $99.95, average is around $69… that is a raw FACT.
You just need to learn how to shop.
ASIN: B0007LW230
Item model number: MA361Z/A
If you don’t understand how the web works, that’s not my fault, I worked and (still do) for Apple and tied of people posting false reports. Lots of people INSIDE apple are wrong on prices, I happen to be not one of them.
Learn a little will you?
-[/quote]
If I walk in to the Apple store how much does .Mac cost me?
Right.
mr.squeaky said:
[quote]The price really doesn’t have much to do with how secure it is.[/quote]
Everyone knows .Mac is fully secure. (except the sensationalist, low ego’d author) so price became the main error of this article.
Fix both and everyone is happy!
An updated Title of this Article everyone can agree should be:
Even at $70 for Apple’s .Mac Service, is Surprisingly Secure…
Will suffice.
OS11 on August 28th, 2007 at 12:35 pm | Link
[quote]
Everyone knows .Mac is fully secure. (except the sensationalist, low ego’d author) so price became the main error of this article.
[/quote]
This sounds like a proclamation made without a supporting argument and it reads as being a bit zealot-like.
morecoffee on August 28th, 2007 at 1:41 pm | Link
Hammer said:
[quote]Maybe they don’t have as many servers as google and yahoo and want to cut down on traffic bandwidth by only using SSL on the username and password part of the page.[/quote]
@Hammer, thanks for at least trying to answer my question and give a reason as to why the page is not secure, although the form may be.
Apple has plenty of bandwith. Seriously, iTunes downloads? Full length movies? Secured login… I don’t think there is a comparison.
I’m guessing Apple isn’t on shared hosting.
So, does any one else have any other ideas as to why Apple would not make the entire page secure to prevent it from being phished?
Stop being a fool, I’ve had .Mac since it was called iTools and was free. The fact that I don’t use the webmail, or the email at all for that matter, and still find it has value is beside the point. My credit card gets charged ~$99 every November. Stop with the $69 crap. No one shops around when they are renewing the service on an annual basis.
As for the security of the login, this tangential tirade has completely destroyed a valid dialogue that is worth having. Yahoo used to have a login box on every page (accessed via http) that submitted to a secure form. It is NOT secure to do so, and they have changed, they now have ONE secure login page that all authentication requests redirect to. You can not post securely from a plain old http page. If you think you can, then you are just like 80% of the web developers out there that don’t understand how this stuff works.
[quote]
I’m saying NOTHING of the sort… .Mac simply DOES not COST $99.95, average is around $69… that is a raw FACT.
You just need to learn how to shop.
ASIN: B0007LW230
Item model number: MA361Z/A
If you don’t understand how the web works, that’s not my fault, I worked and (still do) for Apple and tied of people posting false reports. Lots of people INSIDE apple are wrong on prices, I happen to be not one of them.
Learn a little will you?
-[/quote]
mac on September 6th, 2007 at 10:25 pm | Link
If you really want to whinge at pricing, we only get max £1 off the price of .mac here in the UK (see Amazon.co.uk).
Other than than be thankful you live in a country where you don’t get ripped off with everything you buy!
Now… big hug everyone.
Dizzyfish on September 13th, 2007 at 6:36 am | Link
Wow… this is odd. Seriously. .Mac has MANY features. Most of which you CAN’T get with another online subscriber. On top of that there isn’t anything wrong with their security for their applications because their applications are behind the same firewall and other protection methods as the OS. Further more even with some oddly minor technical bull crap the page is secure all the same. I also did the trial. I’ve got hotmail, yahoo, gmail, and AIM mail plus an AOL account on the side. I don’t pay attention to the HTTP or HTTPS bull as I know that kinda crap doesn’t matter. SSL can be cracked. I view this as just another attempt to bad mouth a good company. I’m getting a .mac account because of how satisfied i was with its security. I happen to pay attention to my online security very closely.
SSL has been cracked. Any really good hacker can even get onto the server the info is stored on and just get your info if they so choose. So basically what you’re going on about has run you right into a wall. Why bother even using the internet for everything. The internet we use was NEVER designed to be secure. There are no security features that were built into the internet and don’t even try to tell me that I’m wrong on that. On that note I must wonder why you have anything online. None of it is really secure. Never will be either. Apple Inc. is one of the companies doing their best to make their customers online experiences as good as possible. That includes the security front. Take a look at any Windows computers and you’ll notice the same flaws you mentioned in Windows. Windows keeps records of this that and the other thing unless you know how to turn that stuff off. Even then if you’re using Norton’s firewall, Windows firewall you’re still not protected.
Take it from someone who’s done the research. It’s plenty secure. I should also note that while you’re ranting and raving about how bad .Mac is… you didn’t use it with the software. WHICH is what it was designed for. Also I bring one final thing to the table. The internet is dead, or to be more correct it’s dying. So this doesn’t really matter. By 2010 they plan to have a new one in place. One WITH built in security features.
The Laughing Man on September 13th, 2007 at 7:00 am | Link
I must admit that .mac could be made more secure. It could also have its name changed to be mac.com rather than a snarky dot-net reference.
However, the page is pretty secure. The eye-grabbing graphic that complains about the insecurity of .mac webmail is technically wrong. While the page is susceptible to a man in the middle attack, this is a pretty rare and difficult attack to pull off and not get caught. If you are bringing your own computer onto a hostile network, you should bring Apple Mail rather than use the .mac webmail.
If you are going into a web cafe and using the machine there to check your mail, there are other, much easier ways to get your password. None of which are likely in a respectable place of business.
Yes it should be made more secure, but it’s pretty good. And I am happy to pay my $100 per year for the service; including the webmail feature that I almost never use.
deadshift on September 19th, 2007 at 1:29 pm | Link
deadshift, I respect your opinion but I must make one clarification.
You said, “The eye-grabbing graphic that complains about the insecurity of .mac webmail is technically wrong. While the page is susceptible to a man in the middle attack, this is a pretty rare and difficult attack to pull off and not get caught.”
However your conclusion is wrong. The insecurity of .mac webmail is in fact correct. Technically, yes, it is insecure or at least LESS secure than free offerings from other companies.
The probability of a criminal being caught has no bearing on the technical deficiency nor obvious security vulnerability of any website or computing device.
Every time i come here I am not dissapointed, nice post
Jyotsna on March 2nd, 2009 at 10:54 am | Link
What a great site you have here great posts.
Gossip Scoop on March 15th, 2009 at 9:42 pm | Link
This is right here, in the present, not the future.
Increase Traffic on April 1st, 2009 at 9:30 am | Link
You made some good points there. I did a search on the topic and found most people will agree with your blog.
Amber on April 8th, 2009 at 1:50 pm | Link
Hello. Great job. This is a great story. Thanks!
Elizabeth on April 8th, 2009 at 1:56 pm | Link
Right on !! Damn I’m getting addicted to your blog
phoenix az auto insurance on May 12th, 2009 at 12:18 pm | Link
You made some good points there. I did a search on the topic and found most people will agree with your blog.
BudBundy on June 10th, 2009 at 2:21 pm | Link
A very nice niche blog, and a good design there sparks Simplicity yet complex algorithm of the internet. Thanks man You rock
Hannah on June 14th, 2009 at 10:59 pm | Link
These attractive, interesting posts make me know more about first aids for heart attack, thanks a lot!
affiliatedebtmanagementprogram on August 23rd, 2009 at 3:00 pm | Link