throwable

When Apple replaced its aging .Mac service with MobileMe this month, it doubled the amount of storage from 10GB to 20GB per individual account. Coupled with iDisk Sync, which promises the speed of local storage with the convenience of remote storage, this greatly added to the appeal of iDisk for accessing files from multiple Macs.

But is the new iDisk secure? Sadly, a message from Apple support reveals that it is not:

When you connect to your iDisk, the authentication of your MobileMe member name and password is done via Digest Authentication. This is a common, secure way to handle authentication for many HTTP-based services (such as webpages) or WebDAV servers (such as iDisk). For more information about Digest Authentication, you can search for the term in your favorite search engine.

Once you are connected to the iDisk and after the authentication process, the actual transfer of data is not encrypted. This includes publishing pages or photocasts with iWeb or iPhoto, using Backup, syncing with iDisk Syncing, publishing calendars with iCal, or simply copying a file manually to your iDisk.

This is unacceptable. Since iDisk stores and retrieves files in the clear, a local or wireless network eavesdropper could easily capture sensitive files as they are read from or written to iDisk. This is particularly egregious since Mac OS X already supports WebDAV over HTTPS, which could easily provide the needed encryption.

As a workaround, Apple suggests first saving sensitive files to an encrypted disk image, but this negates the convenience of iDisk Sync. It is also unreasonable to expect novices, presumably the intended users of MobileMe and iDisk, to anticipate the need for—not to mention possess the ability to—create encrypted disk images.