Quote:
Originally Posted by emuelle1
I think this sums it up for me. I remember when WM2003SW and ActiveSuck 3.8 could sync through wi-fi, but that feature was removed in WM5 and AS4 because Microsoft's "Business customers" saw it as a security issue.
|
It wasn't just seen as a security issue. It
was a security issue. Business users expressing concern wasn't a factor. Information transmitted through ActiveSync over IPwas unencrypted. The problem would be present even if you were syncing over an ethernet cable connected to your router. Mike Calligro, of the Windows Embeded team (the team that develops Windows CE. Windows Mobile is derived from CE) took on the subject in 2006. ActiveSync was never intended to work over WiFi. It had been made to work over Ethernet for devices that were directly connected to a computer via an ethernet cable. Since it was working over IP when WiFi was added to devices it just automatically worked. It was designed as a protocol for devices that are physically connected.
If you ould like to perform wireless syncing use Bluetooth. It is more secure.
The protocol also didn't identify devices, so if I were on your network I could make my computer look like it was your device and trick your device into sending me all of your contact information.
Here are some excepts from his explanation.
From
Windows Mobile Team Blog : WiFi Did You Do That?
Quote:
|
Originally Posted by Mike Calligaro
I’m sure that I won’t come out of this one unscathed. The people affected by this are really angry. And, though I didn’t have anything to do with the decision, I’m guessing that you’re going to take your frustrations out on me anyway.
The official (and true) reason has always been stated as “We removed it for security reasons.” But, judging from the number of angry comments I see posted here, that explanation hasn’t really convinced anyone that it was a good idea.
Desktop ActiveSync over WiFi was sending all your contacts, calendar, and email data over the internet without doing anything to keep people from reading it. If that doesn’t strike fear into your heart, let me add the second reason. When a device connects over desktop ActiveSync we don’t do enough to make it prove that it’s really your device (we don’t “authenticate” well enough). So, yes, when you had WiFi enabled on desktop ActiveSync, people on the internet could watch what you sent and then use that information to pretend to be your device. If they were successful at this, they could convince the your desktop to start sending your information directly to them.
So why did you implement it in the first place?
ActiveSync started out as a way to plug your device directly into your PC over a serial port. Yes, it’s that old (many PCs don’t even have serial ports anymore). There was no need for any sort of security here, because the only way to do this was to physically connect two machines. If you had control of both machines, you’d already compromised whatever security was there.
At some point, PCs and Pocket PCs started getting USB ports. So we modified desktop ActiveSync to talk over USB. But we mostly did it by pretending the USB port was a serial one and sending the same kind of data over it. At some later point we started seeing Compact Flash network cards. We thought, “Hey, that’s another way we could connect to ActiveSync,” and built in the ability to sync over Ethernet. Not too many people used it, though, because it didn’t make too much sense to plug Ethernet cables into your mobile device. Later on, though, WiFi arrived. In the end, WiFi is just a wireless way to do Ethernet, so it pretty much automatically worked with what we had already built.
It’s not really Sync over WiFi that we removed. We removed Sync over Ethernet. It’s just that WiFi needed Ethernet Sync to work.
|