Cryptography Experts Recommend Apple Replace its iMessage Encryption

[tkatz]

Apple is also working on making Mac a closed system so you can't do it there either.

Do you have any supporting evidence of this?

I've heard about MS making Steam's life difficult on Windows and trying to push everything over to the Windows Store, but I haven't see anywhere that Apple is also trying to do this.

 

[2457282]

OK, it's somewhat disconcerting that they were able to retrospectively decrypt certain content. But iMessage certainly isn't a "secure messenger" (like Threema or Signal). Yes, it offers end-to-end encryption, but you're not even able to verify that you're actually using your conversation partner's public key to encrypt your messages (hi there, man in the middle). It surely doesn't come as a surprise that you probably shouldn't use iMessage (or WhatsApp, for that matter) if you care about security.

It is highly unlikely that most people would fall prey to man in the middle or even this. As it stated this is something for state sponsored hacking. I want privacy and security and maybe care about it more than most. Having said that the types of hacks neede to get passed apples security is something that will be targeted. State sponsored hackers will attack CEOs or politicians, not little old me.

From what I read Apple can do more and it looks like it is constantly working to upgrade, so we can expect to see more. And to be clear, Apple is much better than google at this. However, to address your main point, if you are transmitting things that you absolutely do not want to risk of falling into the wrong hands, then I agree that iMessage, what's app, google hangouts, etc is not the right tool. For my use, I want to make sure that nosy bodies can't look, but if i do not expect anyone to be targeting me for anything. And certainly, credit card or ssn never travel through these chat applications or email for that matter.

 

[LordQ]

And I recommend they have iMessage for Android as well so most people can ditch Whatsapp.

 

[JosephAW]

Even if they patch it in iOS 9 or 10 how does that help iMessage users who can only run previous iOS versions?
I'm not going to go out and buy a new computer or phone just to have the latest patch.

 

[Sefstah]

Technically, they're just patching and adding workarounds to it. The proper fix is to overhaul the entire encryption protocol to avoid these weaknesses and that means a good chance it may not be work on older macOS and iOS versions, which I suspect is what Apple is concerned about.

How do you know what their doing or are going to do about it?

 

[The Barron]

Regardless of the college bashing here & arm chair quarterbacking, let's just hope Apple is "on it!" and this is now a top priority to get fixed, or better yet, replaced with a new & far more secure encryption model.

 

[Michael Goff]

Even if they patch it in iOS 9 or 10 how does that help iMessage users who can only run previous iOS versions?
I'm not going to go out and buy a new computer or phone just to have the latest patch.

If you're using a phone that can't run iOS 9, you should probably upgrade. :\

 

[Dcastro]

John Hopkins is a renowned medical school in Baltimore. What makes them the experts on cryptography?

[doublepost=1471193373][/doublepost]So John's Hopkins University is one of the most well rounded universities in the world! And just so happens to have the biggest hospitals in the world. So not just medical school!

 

[H2SO4]

Do you have any supporting evidence of this?

I've heard about MS making Steam's life difficult on Windows and trying to push everything over to the Windows Store, but I haven't see anywhere that Apple is also trying to do this.

Mac AppStore?

 

[Michael Goff]

Do you have any supporting evidence of this?

I've heard about MS making Steam's life difficult on Windows and trying to push everything over to the Windows Store, but I haven't see anywhere that Apple is also trying to do this.

Anyone who says Microsoft is making Steam's life difficult doesn't know what they're talking about.

 

[skinned66]

Welcomed improvements then.

 

[palmerc]

This kind of research work is greatly appreciated. Getting security right is hard.

 

[MikhailT]

How do you know what their doing or are going to do about it?

It's all explained in the research paper linked in the article. The security researchers disclosed the issues to Apple many months ago and now they're talking about these issues since Apple has patched most of the issues in later updates. In other words, if you're using an older version, you're still at risk. The researchers wrote about what Apple did in later updates but believes there may be more related issues that hasn't been analyzed yet.

There are the short relevant quotes from the paper:

In November 2015 we delivered a summary of the results in this paper to Apple. Apple acknowledged the vulner- ability in §5 and has initiated substantial repairs to the iMessage system. These repairs include: enforcing cer- ti cate pinning across all channels used by iMessage,1 removing compression from the iMessage composition (for attachment messages), and developing a x based on our proposed “duplicate ciphertext detection” mitiga- tion (see §7). Apple has also made changes to the use of iMessage in inter-device communications such as Hand- off, although the company has declined to share the de- tails with us. The repairs are included in iOS 9.3 and OS X 10.11.4, which shipped in March 2016.

Our main recommendation is that Apple should replace the entirety of iMessage with a messaging system that has been properly designed and formally veri ed. How- ever, we recognize this may not be immediately feasi- ble given the large number of deployed iMessage clients. Thus we divide our recommendations into short-term “patches” that preserve compatibility with existing iMes- sage clients and long-term recommendations that require breaking changes to the iMessage protocol.

 

[Aston441]

Technically, they're just patching and adding workarounds to it. The proper fix is to overhaul the entire encryption protocol to avoid these weaknesses and that means a good chance it may not be work on older macOS and iOS versions, which I suspect is what Apple is concerned about.

They could get around this my making iMessage a standalone app that works on older versions of iOS/OSX.

 

[MikhailT]

They could get around this my making iMessage a standalone app that works on older versions of iOS/OSX.

They could, but it's not as easy as it sounds. Also, why not just make Messages a separate app that's updatable all the time on all platforms as well.

 

[aaronvan]

Been using Signal. Think I'll stick with it.

 

[chado53]

everybody needs to just calm down.

 

[kettle]

Familiar with 'on a bike'. On a stick is new to me, what does it mean?

It slants the objection toward the unachievable - commonly "you won't be happy until you get the moon on a stick" - secondly the more efficient way to nail someone 'up' is on a single pole rather than making the effort to 'show off' with a fancy cross. Personally I think "Christ on a troll bridge with goats" is more appropriate it this instance.

 

[maxsix]

Jesus ****ing christ on a stick.

This expression makes you look pathetic...

 

[Omega Mac]

Didn't know about signal, will check that out. Cool.

No expert but I would rely on the iOS system with iMessage to be a lot more secure than others.

 

[MecPro]

Yeah, that will happen... /s

Attackers stealing certificates is not exactly a foreign idea. The whole point of it is that you attack the certificate authority rather than the target e.g. http://www.computerworld.com/articl...--on-own-certificates-after-flame-hijack.html

 

[Zirel]

Attackers stealing certificates is not exactly a foreign idea. The whole point of it is that you attack the certificate authority rather than the target e.g. http://www.computerworld.com/articl...--on-own-certificates-after-flame-hijack.html

When that happened with Apple or any big 5 company?

 

[miniyou64]

It's more than just a medical school.

Jesus

Have some respect for THAT name please

 

[Westside guy]

John Hopkins is a renowned medical school in Baltimore. What makes them the experts on cryptography?

Johns Hopkins is a full fledged university - some of our EE faculty work with their engineering faculty.

This sounds very familiar to a potential problem with a stock Apache web server install. If your server's private key gets exposed in the future, anyone who's intercepted encrypted messages in the past can go back and decrypt everything (I'm simplifying a bit, but that's the gist of it). There are ways to prevent this, but it breaks your server's ability to talk with some older browsers.

With iMessage, though, it should be an easier fix since Apple controls the software at both ends.

 

[springsup]

OK, it's somewhat disconcerting that they were able to retrospectively decrypt certain content. But iMessage certainly isn't a "secure messenger" (like Threema or Signal). Yes, it offers end-to-end encryption, but you're not even able to verify that you're actually using your conversation partner's public key to encrypt your messages (hi there, man in the middle). It surely doesn't come as a surprise that you probably shouldn't use iMessage (or WhatsApp, for that matter) if you care about security.

Whatsapp does allow you to verify keys through QR codes.



Also, they claim calls are encrypted. I'm not sure if FaceTime calls are.