Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > News and Article Discussion > Mac Blog Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Jun 13, 2014, 04:53 PM   #1
MacRumors
macrumors bot
 
Join Date: Apr 2001
Apple Plans to Encrypt iCloud Email in Transit Between Providers




NPR Yesterday wrote a story on the efforts of tech companies to protect consumer data, which included an extensive chart on how companies measure up when it comes to encryption.

While Apple was found to be encrypting iMessage end-to-end, as well as email from customers to iCloud, it was found to be one of the few global email providers based in the U.S. that does not encrypt customer email in transit between providers. That means emails that are sent from iCloud to iCloud are encrypted, but emails sent from iCloud to other providers, such as Gmail, are not encrypted.

Following the post, however, Apple told NPR that it is planning to encrypt those emails in the near future.
Quote:
Apple encrypts e-mail from its customers to iCloud. However, Apple is one of the few global email providers based in the U.S. that is not encrypting any of its customers' email in transit between providers. After we published, the company told us this would soon change. This affects users of me.com and mac.com email addresses.
As noted by 9to5Mac, Apple's response to NPR mentions only Me.com and Mac.com without a mention of the newer iCloud.com email addresses, but Google's data protection transparency website suggests that outbound iCloud.com emails are not encrypted, so it is likely Apple's plans include changes to the iCloud.com domain as well.

As noted by NPR, end-to-end encryption of emails sent back and forth between service providers requires cooperation between providers. Both email services involved (such as Apple and Google or Apple and Yahoo) must implement encryption, which means Apple will need to work with other email providers for true end-to-end encryption of iCloud.com email.

NPR's study also noted that many app installations and iOS updates are sent unencrypted to iPhones, as are configuration files sent from telecom companies, and pre-login browsing/shopping traffic from the Apple Store.

Article Link: Apple Plans to Encrypt iCloud Email in Transit Between Providers
MacRumors is offline   1 Reply With Quote
Old Jun 13, 2014, 04:54 PM   #2
CrazyForApple
macrumors 6502
 
Join Date: Dec 2012
Location: Buffalo, NY
Send a message via AIM to CrazyForApple
thats good news
CrazyForApple is offline   1 Reply With Quote
Old Jun 13, 2014, 04:55 PM   #3
chirpie
macrumors 6502a
 
Join Date: Jul 2010
Kudos to NPR, that entire series was a good listen.
chirpie is offline   5 Reply With Quote
Old Jun 13, 2014, 04:56 PM   #4
PinkyMacGodess
macrumors 68000
 
PinkyMacGodess's Avatar
 
Join Date: Mar 2007
Location: Midwest America.
Good grief! They don't already do that?

Exposure is limited, but come on... I'd have expected they were already doing this!

EDIT: Ohh, I thought this was about transit between their own servers. DUH, they had better be doing *something*...

Now between Yahoo, Google, and 'all the rest', in an industry notorious for having 'standards' being more like 'guidelines' that are ignored, or 'augmented' for proprietary reasons, I can see this being a rather large undertaking. Larger than it should be...

Last edited by PinkyMacGodess; Jun 13, 2014 at 05:02 PM.
PinkyMacGodess is offline   1 Reply With Quote
Old Jun 13, 2014, 04:57 PM   #5
iLoveiTunes
macrumors regular
 
Join Date: Feb 2011
kudos... iCloud is pretty much my primary off-work email these days. Stopped using gmail a while back
iLoveiTunes is online now   7 Reply With Quote
Old Jun 13, 2014, 05:01 PM   #6
coolfactor
macrumors 65816
 
Join Date: Jul 2002
Location: Vancouver, BC CANADA
This article is quite misleading. There's two ways to protect emails in transit:

Method #1 - Encrypt the pipe that the email message travels through. This is basically the whole SSL/TLS discussion that has been in the news lately.

Method #2 - Encrypt the contents of the email message itself. This would allow the encrypted message to pass through non-encrypted pipes and still be safe. But this method is far more complicated, as it requires a certificate+handshake between the sending email client and the receiving email client.

It sounds like Apple will be ensuring that when it connects to another mail server, it will try to use an encrypted pipe, if the other server supports that whereas right now, it doesn't make that effort. That would make sense. The messages themselves won't be magically encrypted as per Method #2. That's up to the end-user to implement.
coolfactor is offline   4 Reply With Quote
Old Jun 13, 2014, 07:35 PM   #7
furi0usbee
macrumors 6502a
 
Join Date: Jul 2008
Yeah, it would be nice to have *real* encryption so even Apple cannot decrypt our messages and give them to the government.
__________________
YouTube - Apple iPhone Support Hotline (Actual Phone Call Recording)
MacBook Pro 15" (Retina) 2.3GHz i7 / 8GB RAM  iPad mini (AT&T) (16GB)
furi0usbee is offline   1 Reply With Quote
Old Jun 13, 2014, 08:34 PM   #8
ChrisA
macrumors G4
 
Join Date: Jan 2006
Location: Redondo Beach, California
Quote:
Originally Posted by furi0usbee View Post
Yeah, it would be nice to have *real* encryption so even Apple cannot decrypt our messages and give them to the government.
You can do that now. But both you and the person you are sending to have to agree and set it up in advance. Practically it would work between and and a few others.

End to end encryption is not possible in general because you many times WANT someone you don't know to be able to read your mail.
ChrisA is online now   1 Reply With Quote
Old Jun 14, 2014, 12:26 AM   #9
Señor
macrumors 6502
 
Join Date: Jun 2013
Location: United States
Quote:
Originally Posted by furi0usbee View Post
Yeah, it would be nice to have *real* encryption so even Apple cannot decrypt our messages and give them to the government.
The NSA has complete access to information anyway, and can easily decrypt it no sweat.
__________________
Remember, folks. People thought Apple wouldn't release the iPad Mini because it was smaller, so why can't they release a 5.5" iPhone?

MacBook Pro | Airport Extreme | rMini | iPhone 5
Señor is offline   1 Reply With Quote
Old Jun 14, 2014, 04:18 AM   #10
DryHeave
macrumors newbie
 
Join Date: Jun 2014
Quote:
Originally Posted by Señor View Post
The NSA has complete access to information anyway, and can easily decrypt it no sweat.
Well that depends what method of encryption you're using. If you're using a one-time-pad xor method with truly random pad data, then unless an attacker has read-access to your one-time pad or you screw up and accidentally use the pad twice, nobody else is going to have even the remotest possible chance of decrypting it — no cryptologist, white hat, black hat, nor NSA, nor aliens, nor even the most advanced computer in the universe running for quadrillions of years, nor even God.

Ok, maybe God. But that's about it. Maybe Q.

Last edited by DryHeave; Jun 14, 2014 at 04:23 AM.
DryHeave is offline   4 Reply With Quote
Old Jun 14, 2014, 12:47 PM   #11
Westside guy
macrumors 601
 
Westside guy's Avatar
 
Join Date: Oct 2003
Location: The soggy part of the Pacific NW
Quote:
Originally Posted by PinkyMacGodess View Post
Good grief! They don't already do that?
Google only recently started doing this. Same thing with encryption of data between their own different server farms - twelve months ago they weren't encrypting that, either.

Then Snowden/Greenwald released a talk slide from the NSA showing that tapping those messages between server farms was one of the ways they were intercepting (specifically) Google data. That slide was shown to a pair of Google engineers, who then reportedly responded "oh (expletive)".

Google does deserve credit for moving on this quickly - but all of these companies have been playing catch-up. And really this only addresses spying by national entities. This almost certainly isn't how criminals get hold of people's mail.
__________________
Your post count is insufficient to view signature
Westside guy is offline   2 Reply With Quote
Old Jun 14, 2014, 10:43 PM   #12
Ralf The Dog
macrumors regular
 
Join Date: May 2008
Quote:
Originally Posted by furi0usbee View Post
Yeah, it would be nice to have *real* encryption so even Apple cannot decrypt our messages and give them to the government.
https://gpgtools.org/

Quote:
Originally Posted by DryHeave View Post
Well that depends what method of encryption you're using. If you're using a one-time-pad xor method with truly random pad data, then unless an attacker has read-access to your one-time pad or you screw up and accidentally use the pad twice, nobody else is going to have even the remotest possible chance of decrypting it — no cryptologist, white hat, black hat, nor NSA, nor aliens, nor even the most advanced computer in the universe running for quadrillions of years, nor even God.

Ok, maybe God. But that's about it. Maybe Q.
The cool thing about a one time pad is, there is a decryption key for every possible message of that length. If you have a message describing nuclear launch codes, with a different key, that same message could be a shopping list. It is even better if you pad the message, so you can't even use the length to give you a clue about the content.

One cool trick, encrypt your message using the correct key, then generate a second key that decrypts a fake message. If you are compromised and forced to give up your key, give them the second one.

********

Honestly, if a mail server is not using encryption with a real key from a real cert authority, the sending server needs to bounce the message.
Ralf The Dog is offline   0 Reply With Quote
Old Jun 14, 2014, 11:47 PM   #13
ChrisA
macrumors G4
 
Join Date: Jan 2006
Location: Redondo Beach, California
Quote:
Originally Posted by Ralf The Dog View Post
That works only for special cases. How could I use GPG to send email to someone I don't know? The problem with encryption is that we want the reader to be able to read it. So you can only encrypt some email to some people.
ChrisA is online now   0 Reply With Quote
Old Jun 15, 2014, 02:23 AM   #14
Westside guy
macrumors 601
 
Westside guy's Avatar
 
Join Date: Oct 2003
Location: The soggy part of the Pacific NW
Quote:
Originally Posted by ChrisA View Post
That works only for special cases. How could I use GPG to send email to someone I don't know? The problem with encryption is that we want the reader to be able to read it. So you can only encrypt some email to some people.
If a person has generated a GPG public/private keypair, they've probably uploaded their public key to one of the public key stores - and those usually sync between each other as well. so, generally speaking, you shouldn't need to know someone to send an encrypted email to them. If they've got a key, you can probably get it and use it.
__________________
Your post count is insufficient to view signature
Westside guy is offline   0 Reply With Quote
Old Jun 16, 2014, 06:57 AM   #15
PinkyMacGodess
macrumors 68000
 
PinkyMacGodess's Avatar
 
Join Date: Mar 2007
Location: Midwest America.
Quote:
Originally Posted by ralf the dog View Post
honestly, if a mail server is not using encryption with a real key from a real cert authority, the sending server needs to bounce the message.
ok

----------

Quote:
Originally Posted by Westside guy View Post
Google only recently started doing this. Same thing with encryption of data between their own different server farms - twelve months ago they weren't encrypting that, either.

Then Snowden/Greenwald released a talk slide from the NSA showing that tapping those messages between server farms was one of the ways they were intercepting (specifically) Google data. That slide was shown to a pair of Google engineers, who then reportedly responded "oh (expletive)".

Google does deserve credit for moving on this quickly - but all of these companies have been playing catch-up. And really this only addresses spying by national entities. This almost certainly isn't how criminals get hold of people's mail.
How screwed up is this country?

Your own government tweaks your balls when you walk around with your pants down, rather than tell you to pull your pants up.

Whatever happened to 'Better of dead than red'?
PinkyMacGodess is offline   0 Reply With Quote
Old Jun 16, 2014, 08:00 AM   #16
dumastudetto
macrumors 6502a
 
Join Date: Aug 2013
This is great news. Apple is always putting the security and privacy of its users at the top of its corporate goals. Now it's time for other companies to match Apple's pledge...
dumastudetto is offline   0 Reply With Quote
Old Jun 16, 2014, 11:54 AM   #17
furi0usbee
macrumors 6502a
 
Join Date: Jul 2008
Quote:
Originally Posted by DryHeave View Post
no cryptologist, white hat, black hat, nor NSA, nor aliens, nor even the most advanced computer in the universe running for quadrillions of years, nor even God.
You had me until you started getting silly with the god stuff

But point taken.

----------

Quote:
Originally Posted by Señor View Post
The NSA has complete access to information anyway, and can easily decrypt it no sweat.
I won't go that far. If that's the case, there is zero point it trying to keep anything safe. However, do I assume my FileVault 2, 20 character password is safe from the NSA, probably not. I mean, they have billions of dollars of computer resources and if they are intent on cracking one single computer and it happens to be mine, I highly doubt there is anything I can do to protect myself.
__________________
YouTube - Apple iPhone Support Hotline (Actual Phone Call Recording)
MacBook Pro 15" (Retina) 2.3GHz i7 / 8GB RAM  iPad mini (AT&T) (16GB)
furi0usbee is offline   1 Reply With Quote
Old Jun 16, 2014, 12:01 PM   #18
556fmjoe
macrumors 6502a
 
Join Date: Apr 2014
Quote:
Originally Posted by furi0usbee View Post
Yeah, it would be nice to have *real* encryption so even Apple cannot decrypt our messages and give them to the government.
If Apple is encrypting them with Apple's keys, this has no effect on the government because Apple can simply be ordered to hand them over, just like Lavabit was.

Apple really needs to have customers generate their own keys locally and only pass encrypted data through Apple servers to address the NSL issue. If Apple doesn't hold the keys, they can't surrender them if served with an NSL.
__________________
12" PowerBook G4 1.5 GHz, running OpenBSD -current

13" 2011 MacBookPro 2.7 GHz i7, running Arch Linux
556fmjoe is online now   2 Reply With Quote
Old Jun 16, 2014, 12:03 PM   #19
roadbloc
macrumors 604
 
roadbloc's Avatar
 
Join Date: Aug 2009
Location: UK
Send a message via Skype™ to roadbloc
I'm glad Apple (and other tech giants like Microsoft and BlackBerry) are taking user privacy seriously with the NSA threat.
__________________
roadbloc is offline   0 Reply With Quote
Old Jun 16, 2014, 03:54 PM   #20
spazzcat
macrumors 68000
 
spazzcat's Avatar
 
Join Date: Jun 2007
Quote:
Originally Posted by PinkyMacGodess View Post
Good grief! They don't already do that?

Exposure is limited, but come on... I'd have expected they were already doing this!

EDIT: Ohh, I thought this was about transit between their own servers. DUH, they had better be doing *something*...

Now between Yahoo, Google, and 'all the rest', in an industry notorious for having 'standards' being more like 'guidelines' that are ignored, or 'augmented' for proprietary reasons, I can see this being a rather large undertaking. Larger than it should be...
Email isn't encrypted now unless you are doing yourself with certs...
spazzcat is offline   0 Reply With Quote
Old Jun 16, 2014, 07:10 PM   #21
PinkyMacGodess
macrumors 68000
 
PinkyMacGodess's Avatar
 
Join Date: Mar 2007
Location: Midwest America.
Quote:
Originally Posted by 556fmjoe View Post
If Apple is encrypting them with Apple's keys, this has no effect on the government because Apple can simply be ordered to hand them over, just like Lavabit was.

Apple really needs to have customers generate their own keys locally and only pass encrypted data through Apple servers to address the NSL issue. If Apple doesn't hold the keys, they can't surrender them if served with an NSL.
And what would stop Apple from doing that?
PinkyMacGodess is offline   0 Reply With Quote
Old Jun 17, 2014, 02:14 PM   #22
ctone
macrumors member
 
Join Date: Nov 2006
Quote:
Originally Posted by dumastudetto View Post
This is great news. Apple is always putting the security and privacy of its users at the top of its corporate goals. Now it's time for other companies to match Apple's pledge...
Actually, it is time that Apple catches up to all of the other providers that have already improved email security. According to the article and confirmed by my tests, the only major email providers in the US that don't provide this security are Verizon and Apple.

See Google's research on this subject here
ctone is offline   0 Reply With Quote
Old Jul 21, 2014, 05:02 PM   #23
ctone
macrumors member
 
Join Date: Nov 2006
Reports came out today that Apple finally fixed this problem. Too bad it took them over a month after this report came out that made their security and privacy look pretty bad compared to most other email providers.


http://threatpost.com/apple-implemen...ion-for-icloud
ctone is offline   0 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > Mac Blog Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Forum Jump

All times are GMT -5. The time now is 07:07 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC