EFF ranks Apple's iMessage, FaceTime "best mass market options" for secure messaging, ahead of Black
In its ranking of electronic messaging systems for safety and security, the Electronic Frontier Foundation said no mainstream products passed all of its criteria, but that Apple's iMessage and FaceTime "stood out as the best of the mass-market options."
In addition to examining whether each of the three dozen products it tested used encryption ("both in-transit and at the provider level"), the EFF also detailed whether the products provided audited source code or allowed independent review.
The digital rights group said that despite Apple's security edge over the messaging options from BlackBerry, Google, Yahoo, and Facebook, neither iMessage nor FaceTime "currently provides complete protection against sophisticated, targeted forms of surveillance."
The EFF specifically called out AIM; BlackBerry Messenger; Facebook's Messenger and WhatsApp; Google Chat and Hangouts; Microsoft's Skype; Secret; SnapChat and Yahoo Messenger as failing to provide end to end encryption, rendering them no more secure than basic email.
While Apple began encrypting Mac users' instant messages back in the days of iChat using using secure certificates it distributed through .Mac (the predecessor to MobileMe and today's iCloud), it has never rolled out effortless email encryption features for its Mail users.
Like BlackBerry Protected, BlackBerry Messenger and Microsoft Skype, Apple also does not manage certificate signing for its users that would allow its Mail, iMessage or FaceTime users to verify contact's identities or sign the authenticity of their own messages, although Apple's Mail.app does support third party certificates for secure encryption and contact verification.
The EFF also recognized Apple as having "properly documented" the secure design of iMessage and FaceTime, a test that BlackBerry Protected passed but most other common, proprietary services (including BlackBerry Messenger, Facebook, Google Hangouts and Microsoft Skype) all failed.
Two other tests: "are past communications secure if your keys are stolen?" and "has the code been audited?" were also passed by Apple's iMessage and FaceTime, but failed by BlackBerry Messenger and Protected and Skype. The EFF said Google Hangouts and Facebook chat both failed the former but passed the latter.
The EFF also complained that "most of the tools that are easy for the general public to use don't rely on security best practices--including end-to-end encryption and open source code," noting that Apple's iMessage and FaceTime are not open source code that is "open to independent review."
The group said Google Hangouts/Chat, Blackberry, Skype and Facebook are not "open to independent review" either.
The EFF detailed its findings and explained its testing criteria in its "secure messaging scorecard."
Back in 2009, the EFF took Apple to task over iPhone jailbreaking, and earlier this year, it lauded Apple's initiatives to "protect user data from government request" in a "Who Has Your Back" report.
Apple passed all six criteria examined by the EFF, including requiring a warrant for content; informing users about government data requests; publishing transparency reports; publishing law enforcement guidelines; fighting for users' rights in courts; and fighting for users' rights in Congress.
The EFF observed that "Apple shows remarkable improvement in its commitments to transparency and privacy."
Last month, in an open letter to customers, Apple's chief executive Tim Cook wrote that "Security and privacy are fundamental to the design of all our hardware, software, and services, including iCloud and new services like Apple Pay."
"We don't 'monetize' the information you store on your iPhone or in iCloud. And we don't read your email or your messages to get information to market to you. Our software and services are designed to make our devices better. Plain and simple."
Following Cook's letter, Google chairman Eric Schmidt told CNN in an interview that "All the things [Cook] implied we're doing, we don't do," and insisted "we have always been the leader in security and in encryption. Our systems are far more secure and encrypted than anyone else, including Apple."
According to the EFF's findings, what Schmidt said was not true.
In addition to examining whether each of the three dozen products it tested used encryption ("both in-transit and at the provider level"), the EFF also detailed whether the products provided audited source code or allowed independent review.
The digital rights group said that despite Apple's security edge over the messaging options from BlackBerry, Google, Yahoo, and Facebook, neither iMessage nor FaceTime "currently provides complete protection against sophisticated, targeted forms of surveillance."
The EFF specifically called out AIM; BlackBerry Messenger; Facebook's Messenger and WhatsApp; Google Chat and Hangouts; Microsoft's Skype; Secret; SnapChat and Yahoo Messenger as failing to provide end to end encryption, rendering them no more secure than basic email.
The EFF specifically called out AIM; BlackBerry Messenger; Facebook's Messenger and WhatsApp; Google Chat and Hangouts; Microsoft's Skype; Secret; SnapChat and Yahoo Messenger as failing to provide end to end encryption
While Apple began encrypting Mac users' instant messages back in the days of iChat using using secure certificates it distributed through .Mac (the predecessor to MobileMe and today's iCloud), it has never rolled out effortless email encryption features for its Mail users.
Like BlackBerry Protected, BlackBerry Messenger and Microsoft Skype, Apple also does not manage certificate signing for its users that would allow its Mail, iMessage or FaceTime users to verify contact's identities or sign the authenticity of their own messages, although Apple's Mail.app does support third party certificates for secure encryption and contact verification.
The EFF also recognized Apple as having "properly documented" the secure design of iMessage and FaceTime, a test that BlackBerry Protected passed but most other common, proprietary services (including BlackBerry Messenger, Facebook, Google Hangouts and Microsoft Skype) all failed.
Two other tests: "are past communications secure if your keys are stolen?" and "has the code been audited?" were also passed by Apple's iMessage and FaceTime, but failed by BlackBerry Messenger and Protected and Skype. The EFF said Google Hangouts and Facebook chat both failed the former but passed the latter.
The EFF also complained that "most of the tools that are easy for the general public to use don't rely on security best practices--including end-to-end encryption and open source code," noting that Apple's iMessage and FaceTime are not open source code that is "open to independent review."
The group said Google Hangouts/Chat, Blackberry, Skype and Facebook are not "open to independent review" either.
The EFF detailed its findings and explained its testing criteria in its "secure messaging scorecard."
Security and privacy are fundamental to the design of all our hardware, software, and services, including iCloud and new services like Apple Pay" - Tim Cook
Back in 2009, the EFF took Apple to task over iPhone jailbreaking, and earlier this year, it lauded Apple's initiatives to "protect user data from government request" in a "Who Has Your Back" report.
Apple passed all six criteria examined by the EFF, including requiring a warrant for content; informing users about government data requests; publishing transparency reports; publishing law enforcement guidelines; fighting for users' rights in courts; and fighting for users' rights in Congress.
The EFF observed that "Apple shows remarkable improvement in its commitments to transparency and privacy."
Last month, in an open letter to customers, Apple's chief executive Tim Cook wrote that "Security and privacy are fundamental to the design of all our hardware, software, and services, including iCloud and new services like Apple Pay."
Google self signs its own certificate of superiority
Drawing a contrast between Google and Facebook, Cook added, "Our business model is very straightforward: We sell great products. We don't build a profile based on your email content or web browsing habits to sell to advertisers."We don't 'monetize' the information you store on your iPhone or in iCloud. And we don't read your email or your messages to get information to market to you. Our software and services are designed to make our devices better. Plain and simple."
"Our systems are far more secure and encrypted than anyone else, including Apple" - Google's Eric Schmidt
Following Cook's letter, Google chairman Eric Schmidt told CNN in an interview that "All the things [Cook] implied we're doing, we don't do," and insisted "we have always been the leader in security and in encryption. Our systems are far more secure and encrypted than anyone else, including Apple."
According to the EFF's findings, what Schmidt said was not true.
Comments
Take that, Schmidt!
[IMG ALT=""]http://forums.appleinsider.com/content/type/61/id/51608/width/350/height/700[/IMG]
? RULES!
Schmidt is the consummate politician.
Does not have a real clue about what he speaks but speaks with confidence and a sincere belief in what he says.
Folks, share these articles with as many as you can so the world learns about google.
The BB users are going to shit their pants and start trying to save face.
Can Schmuck be sued for these lies? He just keeps lying and lying with no repercussions whatsoever.
I've always wondered about how open-source code can get such great reviews. Just because lots of people have access to it doesn't mean it's that secure. What it does mean is that it never gets finished. Apple takes the best of open-source then adds its own security to it, making for a better product. As for lack of email encryption, Yosemite makes signing and encryption a lot easier but Apple fails to provide one thing that would easily make everything work better, an Apple CA (certificate authority) that uses your iCloud email account. Most Apple users already have an iCloud account and having Apple certify these certificates would be fairly easy. The free certificates aren't the same as those from the major CAs but a definitely better than self-signed certificates. Why should we have to pay for these certificates when Apple already has all the information a user gives to the CA certificate companies? This would make it a whole lot easier for Apple users.
This going to start a shit storm if it makes it over to C|net.
While others may disagree, I can say that Tim Cook has been the best thing to happen to Apple this decade and I feel more confident than ever in it's direction than any other under Jobs because of this.
i sure wish someone at appleinsider could learn to consistently write coherent sentences and paragraphs. the run-on paragraph above is confusing. what is it you guys do for a living? oh, right, sell ads ... à la google. got it.
Proofreaders are a diamond dozen in this doggy dog world, too; there’s know eggs use.
If I ever meet that scumbag in public I will call him a LIAR to his face!
I agree that the more people that know this sort of info about Google the better. However most smartphone users aren't really interested in the tech/security aspects of their device (but they should be) and those android users that are aware tend to be the android fanatics that wouldn't let the truth get in the way of a
gooduseless argument.I think the best outlook on this news is that Apple users can be grateful that not only is Apple leading the pack when it comes to the security of it's users messages but that Tim and the team are continuing to push for even further improvements in this area.
I believe BB messenger became unsecure when they went cross platform.
Schmidt is a fool for saying such things. Really, iMessage and FaceTime really kick all of these from BB, Google and MS in the anus...
You had me at "Schmidt is a fool"
i sure wish someone at appleinsider could learn to consistently write coherent sentences and paragraphs. the run-on paragraph above is confusing. what is it you guys do for a living? oh, right, sell ads ... à la google. got it.
You're seeing an error because you are reading a story within the pasted in repost within Huddler, not on the website.
AI writers have no connection to the people who handle advertising on the site.