iMessage and FaceTime Ranked as Most Secure Mass-Market Messaging Options

[TimelessOne]

The column "Is the code open to independent reviewers", how on earth can the open source community continue to claim that their code is safe and secure because of peer review when HeartBleed and a slew of other major security holes and exploits have been found in open source code and has been their for years or even decades?

Just because a million monkeys review your code doesn't make it secure.

Ah spoken like someone who has zero understanding of development.

Ok you have things like heartbleed that took YEARS to find with a lot more eyeballs on it.
Imagine now if that code was closed. Chance are the same bug would STILL be out there and not found so its exploit would still be in use.

A lot of bugs are found/solved by shear dumb luck. Found one yesterday where I work. We knew about the bug but had been banging our head against the wall to find out what caused it as everything in the code looked fine and we struggled replicating it so we were thinking it was a one off. I found it by luck as I was prepping the data to go look at one of the possible causes and boom there it was. It also showed how it was such a frigid cases as it required a lot of things to line up. I just happen to of had stuff from the previous project I worked on that was still in the database. This let me find it in the code.

Open source speeds up the dumb luck finding as you have more eyeballs looking h threw the code. Security issues that heartbleed are found and fixed more by dumbluck than anything else. Open source increases the number of chances you have to find those rare hard to find issues.

 

[gfbane]

Correct, its the only one that encrypts messages end to end.

Your messages presumably can be read as Apple distributes the keys, they are not created locally on your device. We are trusting that Apple will not release those. However, the "Feds" could issue a NSL to Apple to turn over a user's iMessage keys they are holding for you. We know Apple has the keys because there is nothing you need to do to get to your iMessages on another device other than login to iCloud. You don't have to enter the key, or key file to get it working on a new device.

 

[Rigby]

Your messages presumably can be read as Apple distributes the keys, they are not created locally on your device. We are trusting that Apple will not release those. However, the "Feds" could issue a NSL to Apple to turn over a user's iMessage keys they are holding for you.

Actually, the keys are generated locally on the device, and Apple does not have the private keys. However, they control the directory service that is used to look up another user's public key when sending a message to that user. This means they can always slip public keys to a sender that don't actually belong to the user, thus enabling them to decrypt messages sent from this point onward. However, they cannot decrypt past messages even if presented with a government order.

We know Apple has the keys because there is nothing you need to do to get to your iMessages on another device other than login to iCloud. You don't have to enter the key, or key file to get it working on a new device.

Every time you enable iMessage on a new device, that device generates a new key pair. The new public key is then added to your entry in Apple's directory service. Senders then encrypt messages such that any of your keys can be used to decrypt them.

 

[Linkbox]

Thats a lot of effort to read my smiley face emoji.

Basically what the paper says is that if apple really wanted to (i.e. be compelled to by law) they would be able to read your messages.

In other words, iMessage is secure from regular hackers, but not from apple or the feds if they are compelling apple to read your messages. If you want to be safe from the feds you would have to get another chat service (which would probably flag you to them as "hey look at me I’m doing illegal stuff!" )

 

[Tech198]

no wire tap order, however they can't tell you what would happen to them if they couldn't provide.

Of course, once jail-broken, anything is possible.