derekmorr
About
- Username
- derekmorr
- Joined
- Visits
- 29
- Last Active
- Roles
- member
- Points
- 110
- Badges
- 0
- Posts
- 237
Reactions
-
Zuckerberg really wants iPhone users to shift to WhatsApp
He has some valid criticisms of iMessage - it is nowhere as secure as Apple makes it out to be. But WhatsApp collects all of your metadata and shares it with Meta, so it's hardly better. I strongly suggest using Signal -- it's cross-platform and open-source, has been independently audited, and collects virtually no metadata.
iMessage has many problems:The problems with iMessage are in two areas: the protocol itself, and everything else.The iMessage encryption protocol isn't well designed:- In 2016, researchers at Johns Hopkins demonstrated that iMessage messages can be decrypted of they’re intercepted. This is a link to their paper -https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_garman.pdf
. While the attack is difficult to execute, it should never be possible.- The iMessage protocol doesn't have forward secrecy (https://www.tomshardware.com/news/imessage-weak-encryption-matthew-green,32466.html) -- that means it reuses the same encryption key indefinitely. That makes it much more susceptible to compromise. The Signal protocol has forward secrecy and changes the encryption key on each message.- The research team said that Apple should replace the iMessage protocol with something more secure, like the Signal protocol. https://www.vice.com/en/article/d7y7vk/apple-should-replace-imessage-encryption-researchers-warn- Following the 2016 revelations, Apple updated the iMessage protocol, using a custom signcryption scheme (see https://par.nsf.gov/servlets/purl/10200009). That paper found that the iMessage protocol is theoretically sound but makes suspect parameter choices: it uses only 88 bits of entropy per-message, and the per-message authentication tag is only 40 bits; both values are too small. Ultimately, the authors claim that Apple made unusual design choices in iMessage and questioned why Apple didn't use a more standardized, well-studied approach. There is speculation that backwards compatibility drove Apple's design process.- iMessage does not allow participants to verify one another’s identities and their shared encryption key. The system requires devices to implicitly trust Apple’s servers to distribute user’s public keys. In Signal, you can scan a QR code to verify the encryption key; this prevents man in the middle attacks. See this for more info https://blog.cryptographyengineering.com/2015/09/09/lets-talk-about-imessage-again/- A 2014 analysis of iMessage found that traffic analysis can reveal the Operating System (100% accuracy), type of user action message (96% accuracy), text language (98% accuracy), and plaintext message length (to within 6 characters). https://arxiv.org/pdf/1403.1906.pdf.In terms of "everything else" -- Apple has access to a lot of iMessage metadata, and in many cases to your chats (via iCloud backups):- Apple logs your iMessage contacts, and can share them with law enforcement. https://theintercept.com/2016/09/28/apple-logs-your-imessage-contacts-and-may-share-them-with-police/. Signal does not log your contacts.- iMessage data is also accessible to governments since iCloud backups are not end-to-end encrypted. In November 2021, Rolling Stone published an FBI document showing that iMessage can reveal more information that most other messengers, link: https://www.rollingstone.com/politics/politics-features/whatsapp-imessage-facebook-apple-fbi-privacy-1261816/ and see this PDF: https://propertyofthepeople.org/document-detail/?doc-id=21114562 -
iMessage Contact Key Verification appears in first iOS 16.6 beta
This article from Dr. Matthew Green, a cryptographer at Johns Hopkins, has a good overview of the problem. He's the researcher that was able to break iMessage encryption back in 2016. See his discussion of "key substitution attacks."
On the one hand, it addresses a long-standing design flaw in iMessage -- it was impossible to verify the identify of the other party. You just had to blindly trust the Apple provided the right encryption key to you, and you weren't subject to a man-in-the-middle attack. This is opposed to Signal and WhatsApp which support verification. Basically, these systems create a "fingerprint" of the encryption keys used in your conversation -- both parties can verify this fingerprint to ensure they both see the same keys.
Historically, iMessage did not have this -- so you could not know if you were really talking directly to someone or if your conversation was being relayed through an eavesdropper, or if Apple had secretly added an eavesdropper to your conversation. Now, this will be possible.
Edit: WhatsApp is actually innovating here. Most users do not manually verify safety numbers, so WhatsApp is rolling out an automatic key verification system which has a public log of all public keys in the system. See this announcement for a high-level overview. There is also an extended deep-dive discussion on the Security Cryptography Whatever podcast. -
Apple preparing for third-party app stores by 2024
JP234 said:It begins. Prepare for malware on your iOS devices. -
Green texts in iMessages nudge teens to use iPhones
I'm honestly wondering why anyone would use iMessage at all. From a privacy perspective, it's a terrible product.- The iCloud backups are accessible by Apple. Deal breaker.
- The iMessage protocol is terribly designed. It's so bad that in 2016, researchers at Johns Hopkins were able to read encrypted messages. That should never be possible.
- Related to the above: iMessage doesn't have forward secrecy. That's just stunning.
- It's not open source, so it can't be independently audited.
- Apple routinely gives information to government agencies.
-
Apple and Android users deserve better universal chat than Beeper mini
-
Epic CEO will fight Apple to the bitter end over App Store control
Madbum said:Epic doesn’t have to sell in Apples App Store. The store did t exist before Apple spent billions over last 15 years developing it. -
Epic CEO will fight Apple to the bitter end over App Store control
Madbum said:Many don’t know this,Tim Sweeney and Epic is largely owned by Tencent China, a Chinese communist controlled company
So this is Chinese communists vs an American company that just came up technology to save people trapped in the wild without mobile service
chinese Communist controlled Epic games… let that sink in -
Epic CEO will fight Apple to the bitter end over App Store control
Madbum said:derekmorr said:Madbum said:Epic doesn’t have to sell in Apples App Store. The store did t exist before Apple spent billions over last 15 years developing it.
do you think Safeway goes for that?
but if you go outside of Safeway and lease you own space and build yiu store and pull your stuff out of Safeway, I am pretty sure Safeway would not have an issue
again Sweeney is an agent of communist China, that is just as bad as Putin, so there is no need to even discuss them as actual human beings
My iOS devices are my property. I cannot choose to install apps outside of the App Store. I do not have choice. Apple actively prohibits third party payment mechanisms or app distribution channels. So in your analogy that's like Safeway prohibiting me from opening up my own store elsewhere in town. Apple's behavior is illegal and must be stopped. -
Apple preparing for third-party app stores by 2024
JP234 said:derekmorr said:JP234 said:It begins. Prepare for malware on your iOS devices.