I went and looked at the full scorecard. I knew less than ten of these messaging apps. I had no idea how many were out there. The problem for me is that in order for it to work everyone has to be on the same app. Fortunately, iMessage works for me since 90% of the people I chat with (that would be a total of less than 10 people) are on the iPhone. And since SMS is integrated and works for that one other person, I am just fine with iMessage. Very happy to hear that it is very secure as well.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
iMessage and FaceTime Ranked as Most Secure Mass-Market Messaging Options
- Thread starter MacRumors
- Start date
- Sort by reaction score
It allows people who really know the security field to make judgements. And they have.
The only thing it doesn't do -- that's significant to me -- is that you can't verify who's calling. FaceTime video, of course, is identifiable by the video. Audio by the voice, if you know the person. But Messages? However, no other apps have that ability either. Hard to do in a system where people want to use pseudonyms, or chatter on with strangers. Verifying identities is complicated, and I'm not sure people wouldn't resent it.
As for the last "deficiency," frankly, open source is over-estimated as a security strength. There have been some nasty holes in Bash, and the Heartbeat vulnerability and the rest, many of which stayed for a generation inside critical parts of the most prominent open source code. A heavily-used proprietary market piece of software gets more attention, and they generally fix it quickly, because they lose sales.
----------
And Apple doesn't keep the keys.
What does "Can you verify contacts' identities?" mean?
Like, if someone else shows up in FaceTime, wrong identity?
The website mentions this:
Here's an article about Apple losing the lawsuit:
Apple loses Facetime patent lawsuit to VirnetX
However, that verdict was just overturned a few weeks ago.
Appeals Court Throws Out $368 Million Verdict Against Apple in VirnetX Lawsuit
But you cannot verify the other end's identity independently, which means a man-in-the-middle attack is still theoretically possible.
PS: Thanks for the more in-depth explanation.
Apple could still read your traffic if they wanted to. While it's true that iMessage uses end-to-end encryption, the problem is that Apple controls the public key infrastructure and acts as certificate authority. If someone wants to send you a message, they need your public key to be able to encrypt it for you. When the sender attempts to look up your public key, Apple can easily replace it with another key where they have the corresponding private key (and since they are the CA too, they can sign the replacement key which would make the iOS device consider it trustworthy). This allows them to decrypt the message. Apple could then re-encrypt the intercepted message with your real public key and forward it to you, so you would never know that it has been intercepted.
This page has more detail if you're interested:
http://blog.quarkslab.com/imessage-privacy.html
FaceTime is not as safe as indicated
Apple manages the keys for Face Time connections, and because of this could include its own or the NSA's key and they could be a party to the conversation.
Apple saying that they cannot decrypt does not make it so.
So the chart and this article pointing to the chart are in error.
Apple manages the keys for Face Time connections, and because of this could include its own or the NSA's key and they could be a party to the conversation.
Apple saying that they cannot decrypt does not make it so.
So the chart and this article pointing to the chart are in error.
They could (like Blackberry is doing it) but that is not what Jobs had originally promised.
Still theres no two step verification or any good way to manage what devices are active and receiving messages for imessage. I really dont see the point of all this two step verification hype from apple if imessage is left out. Until then (if ever) all the listed features is great but SMS still safer for 99 procent of the users.
No it doesn't matter. I just wanted to be clear that these are three things are not the same (and each option has slightly different security implications).
That is true. But if they don't do anything, well, nothing changes. Apple continues to be seen as the closed company that can't play well with others.
Then again, they can't monetize this service. Even if they did make it, it'd be bad like Safari on Windows was.
No, the chart design sucks and makes the content difficult to read. It has good info, but crap delivery.
----------
You are incorrect, Apple does indeed have the keys, they have to otherwise the system would require much more effort on the part of each user to communicate with one another.
Steve Gibson has a great podcast about his review of it, while he gave glowing reviews for their implementation he did speak about the keys being in the hands of Apple and that being a negative in terms of security but a plus for ease of use.
Edit : Here is the transcript for episode 1 (of 3) where he discusses iOS (including iMessage) security.
https://www.grc.com/sn/sn-446.htm
Scorecard is wrong about Skype:
It doesn't use end-to-end encryption.
http://arstechnica.com/security/201...ssages-get-end-to-end-encryption-think-again/
It doesn't use end-to-end encryption.
http://arstechnica.com/security/201...ssages-get-end-to-end-encryption-think-again/
It’s a shame that this overview of the EFF doesn’t reference their sources. We take this analysis based on their authority alone.
Steve Jobs said Facetime is built on open standards and that it would be opened up to others to implement it on their own devices.
http://www.fiercedeveloper.com/story/facetime-open-standard-never-happened/2012-12-06
http://en.wikipedia.org/wiki/FaceTime#Standards