derekmorr
About
- Username
- derekmorr
- Joined
- Visits
- 30
- Last Active
- Roles
- member
- Points
- 117
- Badges
- 0
- Posts
- 238
Reactions
-
Zuckerberg really wants iPhone users to shift to WhatsApp
He has some valid criticisms of iMessage - it is nowhere as secure as Apple makes it out to be. But WhatsApp collects all of your metadata and shares it with Meta, so it's hardly better. I strongly suggest using Signal -- it's cross-platform and open-source, has been independently audited, and collects virtually no metadata.
iMessage has many problems:The problems with iMessage are in two areas: the protocol itself, and everything else.The iMessage encryption protocol isn't well designed:- In 2016, researchers at Johns Hopkins demonstrated that iMessage messages can be decrypted of they’re intercepted. This is a link to their paper -https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_garman.pdf. While the attack is difficult to execute, it should never be possible.- The iMessage protocol doesn't have forward secrecy (https://www.tomshardware.com/news/imessage-weak-encryption-matthew-green,32466.html) -- that means it reuses the same encryption key indefinitely. That makes it much more susceptible to compromise. The Signal protocol has forward secrecy and changes the encryption key on each message.- The research team said that Apple should replace the iMessage protocol with something more secure, like the Signal protocol. https://www.vice.com/en/article/d7y7vk/apple-should-replace-imessage-encryption-researchers-warn- Following the 2016 revelations, Apple updated the iMessage protocol, using a custom signcryption scheme (see https://par.nsf.gov/servlets/purl/10200009). That paper found that the iMessage protocol is theoretically sound but makes suspect parameter choices: it uses only 88 bits of entropy per-message, and the per-message authentication tag is only 40 bits; both values are too small. Ultimately, the authors claim that Apple made unusual design choices in iMessage and questioned why Apple didn't use a more standardized, well-studied approach. There is speculation that backwards compatibility drove Apple's design process.- iMessage does not allow participants to verify one another’s identities and their shared encryption key. The system requires devices to implicitly trust Apple’s servers to distribute user’s public keys. In Signal, you can scan a QR code to verify the encryption key; this prevents man in the middle attacks. See this for more info https://blog.cryptographyengineering.com/2015/09/09/lets-talk-about-imessage-again/- A 2014 analysis of iMessage found that traffic analysis can reveal the Operating System (100% accuracy), type of user action message (96% accuracy), text language (98% accuracy), and plaintext message length (to within 6 characters). https://arxiv.org/pdf/1403.1906.pdf.In terms of "everything else" -- Apple has access to a lot of iMessage metadata, and in many cases to your chats (via iCloud backups):- Apple logs your iMessage contacts, and can share them with law enforcement. https://theintercept.com/2016/09/28/apple-logs-your-imessage-contacts-and-may-share-them-with-police/. Signal does not log your contacts.- iMessage data is also accessible to governments since iCloud backups are not end-to-end encrypted. In November 2021, Rolling Stone published an FBI document showing that iMessage can reveal more information that most other messengers, link: https://www.rollingstone.com/politics/politics-features/whatsapp-imessage-facebook-apple-fbi-privacy-1261816/ and see this PDF: https://propertyofthepeople.org/document-detail/?doc-id=21114562
-
Tim Cook made it clear that Apple won't adopt RCS any time soon
sireofseth said:
I use Signal myself (for with my Android friends, otherwise it’s iMessage.) But in what way is Signal “much more secure than iMessage”?derekmorr said:Just tell people to use Signal. It works regardless of platform and is much more secure than iMessage.The problems with iMessage are in two areas: the protocol itself, and everything else.
The iMessage encryption protocol isn't well designed:
- In 2016, researchers at Johns Hopkins demonstrated that iMessage messages can be decrypted of they’re intercepted. This is a link to their paper - https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_garman.pdf. While the attack is difficult to execute, it should never be possible.
- The iMessage protocol doesn't have forward secrecy (https://www.tomshardware.com/news/imessage-weak-encryption-matthew-green,32466.html) -- that means it reuses the same encryption key indefinitely. That makes it much more susceptible to compromise. The Signal protocol has forward secrecy and changes the encryption key on each message.
- The research team said that Apple should replace the iMessage protocol with something more secure, like the Signal protocol. https://www.vice.com/en/article/d7y7vk/apple-should-replace-imessage-encryption-researchers-warn
- iMessage does not allow participants to verify one another’s identities and their shared encryption key. The system requires devices to implicitly trust Apple’s servers to distribute user’s public keys. In Signal, you can scan a QR code to verify the encryption key; this prevents man in the middle attacks. See this for more info https://blog.cryptographyengineering.com/2015/09/09/lets-talk-about-imessage-again/
In terms of "everything else" -- Apple has access to a lot of iMessage metadata, and in many cases to your chats (via iCloud backups):
- Apple logs your iMessage contacts, and can share them with law enforcement. https://theintercept.com/2016/09/28/apple-logs-your-imessage-contacts-and-may-share-them-with-police/. Signal does not log your contacts.
- iMessage data is also accessible to governments since iCloud backups are not end-to-end encrypted. In November 2021, Rolling Stone published an FBI document showing that iMessage can reveal more information that most other messengers, link: https://www.rollingstone.com/politics/politics-features/whatsapp-imessage-facebook-apple-fbi-privacy-1261816/ and see this PDF: https://propertyofthepeople.org/document-detail/?doc-id=21114562
-
RCS is still half-baked, and Apple has no reason to adopt it
Delete your account.jimh2 said:
All my friends, with a few exceptions, use iPhones so RCS is of no value to me. I like the colored bubbles telling me who is using what type of phone. It's petty, but also hard to not think those with green bubble are not the "cool kids".bossbaby said:And the pathetic iMessage still dont have automatic spam filter. I really wish I could install Google message on my iPhone. The most annoying, I kept receiving spam Imessage from random emails. I both have iphone and Android and nope, RCS is not half baked. I use both and rcs has more feature than iMessage imho. Imessage doesnt have enough user base, atleast, outside america.
-
RCS is still half-baked, and Apple has no reason to adopt it
iMessage security is highly overrated. It is nowhere are secure as people think it is.In 2016, researchers at Johns Hopkins demonstrated that iMessage messages can be decrypted of they’re intercepted. This is a link to their paper -https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_garman.pdf. While the attack is difficult to execute, it should never be possible. The research team said that Apple should replace the iMessage protocol with something more secure, like the Signal protocol. https://www.vice.com/en/article/d7y7vk/apple-should-replace-imessage-encryption-researchers-warniMessage does not allow participants to verify one another’s identities and the shared encryption key. The system requires devices to implicitly trust Apple’s servers to distribute user’s public keys. In Signal, you can scan a QR code to verify the encryption key; this prevents man in the middle attacks. See this for more info https://blog.cryptographyengineering.com/2015/09/09/lets-talk-about-imessage-again/iMessage data is also accessible to governments since iCloud backups are not end to end encrypted. In November 2021, Rolling Stone published an FBI document showing that iMessage can reveal more information that most other messengers, link: https://www.rollingstone.com/politics/politics-features/whatsapp-imessage-facebook-apple-fbi-privacy-1261816/ and see this PDF: https://propertyofthepeople.org/document-detail/?doc-id=21114562 -
Green texts in iMessages nudge teens to use iPhones
I'm honestly wondering why anyone would use iMessage at all. From a privacy perspective, it's a terrible product.- The iCloud backups are accessible by Apple. Deal breaker.
- The iMessage protocol is terribly designed. It's so bad that in 2016, researchers at Johns Hopkins were able to read encrypted messages. That should never be possible.
- Related to the above: iMessage doesn't have forward secrecy. That's just stunning.
- It's not open source, so it can't be independently audited.
- Apple routinely gives information to government agencies.
