Apple Now Encrypting iCloud Emails

Discussion in 'Apple Music, Apple Pay, iCloud, Apple Services' started by impaler, Jul 15, 2014.

  1. impaler, Jul 15, 2014
    Last edited: Jul 15, 2014

    impaler macrumors 6502

    Joined:
    Feb 20, 2006
    Location:
    FL
    #1
    Okay, looks like multiple stories are reporting emails between not just iCloud accounts, but between other providers, are being encrypted now. I verified myself via Google's transparency site. The stories also note they're not using AES, but using RC4, a much weaker protocol. Every time I'm encouraged by Apple thinking smarter about Internet security, they take half steps toward good solutions. I also remember they were one of the last large web-based email providers to switch to SSL encryption in the browser; another time they let their SSL certificate expire.

    Safer email ? Transparency Report ? Google
    Apple begins encrypting iCloud email sent between providers | 9to5Mac
    Apple Now Encrypting iCloud Email Sent Between Providers | MacTrast
     
  2. 556fmjoe macrumors 65816

    556fmjoe

    Joined:
    Apr 19, 2014
    #2
    Anything short of end to end encryption using keys generated and stored locally on each user's device is purely symbolic. Why it still isn't the default is mind boggling.
     
  3. whsbuss macrumors 68040

    whsbuss

    Joined:
    May 4, 2010
    Location:
    SE Penna.
    #3
    Well not everyone wants to pay for email certs and the free ones only last for a year.
     
  4. Alrescha macrumors 68020

    Joined:
    Jan 1, 2008
    #4
    You can generate your own certs, or you can use PGP. You do not have to use a centralized authority. Such a solution is not without its challenges, of course.

    A.
     
  5. 556fmjoe macrumors 65816

    556fmjoe

    Joined:
    Apr 19, 2014
    #5
    GPG is free and open source and requires no certs. It's available for any vendor to build into their software by default. It's a better solution than S/MIME anyway.
     
  6. impaler thread starter macrumors 6502

    Joined:
    Feb 20, 2006
    Location:
    FL
    #6
    While technically true, I believe nearly anyone that relies on iCloud for their primary email isn't thinking about these things at ALL. This story will definitely fly under the radar for the majority of their users.
     
  7. 556fmjoe macrumors 65816

    556fmjoe

    Joined:
    Apr 19, 2014
    #7
    That's the truth, and it's why GPG should be built in and used by default. It could be done quite transparently too.
     
  8. Alrescha macrumors 68020

    Joined:
    Jan 1, 2008
    #8
    Sure, but then we are back to 556fmjoe's point; if you are not encrypting end-to-end, this whole business of encrypting between providers is of little consequence (i.e.: your mail just gets read at the provider, rather than in transit).

    A.
    (I was more surprised to learn that *anyone* was doing it than I was to learn that Apple was one of the last major players to do it).
     
  9. ugahairydawgs macrumors 68030

    ugahairydawgs

    Joined:
    Jun 10, 2010
    #9
    So let me get this straight......

    You want the company that has tried to move the post-PC market to a file system-less world to all of a sudden try to get users to start generating their own encryption certificates for email?

    Seriously?

    There are people that need serious encryption for their email. Those people do not use iCloud for that mail.
     
  10. Alrescha macrumors 68020

    Joined:
    Jan 1, 2008
    #10
    Please do not put words in my mouth.

    And then object to something I did not say.

    A.
     
  11. 556fmjoe macrumors 65816

    556fmjoe

    Joined:
    Apr 19, 2014
    #11
    No, key pair generation should be done automatically upon app installation or setup, with the option to import existing keys. Give the user the option of encrypting their private key with a passphrase or TouchID, since making it mandatory discourages its use altogether. Ship public key to Apple's server. Any email to another iCloud email user retrieves the recipient's public key and encrypts the email with it by default.

    Most of the code for this already exists in GPG, so it shouldn't be hard to implement. Performance will be fine across platforms with elliptic curve keys and AES-128. The user would have minimal interaction with the underlying GPG process, nobody would be forced to enter long passphrases, and nobody would have to remember to encrypt. If Apple does it, it will build the infrastructure of key pair equipped users to allow other providers to do it too.
     
  12. sjinsjca macrumors 68000

    sjinsjca

    Joined:
    Oct 30, 2008
    #12
    Absolutely true.

    There are some things that cannot be trusted to third parties today. Having trust certification managed by a certificate authority of any type stands revealed as absolute futility, given the multiple breaches of CAs over the past years, and the prevalence of things like Microsoft's Forefront "threat management gateway" and Packet Forensics' SSL-breaking man-in-the-middle machine, which dates back to 2010. References: https://www.grc.com/fingerprints.htm and http://www.wired.com/2010/03/packet-forensics/ ...in fact, major antivirus programs work by inserting themselves in the trust chain; see http://rants.effu.se/2013/03/Arrogant-Anti-virus-Doesn't-Appreciate-Your-Choices for a discussion of one major player's encryption-subverting approach. Given that the antivirus industry is stuffed with East Bloc talent, allowing them to man-in-the-middle all your secure communications would seem to be a risk all its own.

    It used to be that I'd feel comfortable using SSL and such, thinking it would stymie most bad guys and at least inconvenience the really sophisticated snoops. Turns out that's false confidence, bigtime. Otherwise your communications are about as secure as they'd be if you spoke only in pig latin. Meaning, not at all.

    So between purloined or hacked CA certificates, SSL-breaking utilities and hardware that may be on any network you use or connect-through even indirectly, and man-in-the-middle-ware willingly installed by users and corporations, it's clear that anything that really needs encrypting needs tools entirely under the user's control. Fortunately these are plentiful, such as the superb, free GPGTools for OS X's Mail.app (https://gpgtools.org). But people have to use them for them to work.
     
  13. Alrescha macrumors 68020

    Joined:
    Jan 1, 2008
    #13
    Exactly. I happen to like S/MIME with locally-generated certificates, some people like PGP (in the guise of GPG). I have used both, and test them annually with my like-minded associates. Amusingly, we have nothing of any import to say, and if we did we would not use email... :)

    A.
    (who has always treated email as if it were written on a postcard)
     
  14. impaler thread starter macrumors 6502

    Joined:
    Feb 20, 2006
    Location:
    FL
    #14
    Speaking only for myself, I think both Google and Apple's terms of service are good enough for me to trust humans aren't scanning and reading my emails. This whole NSA thing is another story, and beyond scope of my knowledge. As far as SSL, I remember when MobileMe (me.com) actually was http only. Completely in the clear. Nuts!

    Seems at times, "Security" is done as a marketing ploy to say they're safe.
     

Share This Page