Right, they say iMessage is end-to-end encrypted, but this is only true if you and the people you talk to don't use iCloud backups. If you do, then iMessage's E2E encryption silently degrades to key escrow.
I've read that Apple could technically inject a 3rd key in a two party chat and eavesdrop on it. Not sure how true that is in practice, but it seems plausible based on their security design document.
This is true. It's been proven to have happened in multiple court cases.
They can basically insert another "end" for the end to end encryption without any of the parties knowing.
You basically should never trust Apple / Google / Microsoft / Amazon / etc to handle your private information... ever. Use audited open-source messaging apps.
That article does not say what you claim it does. It’s about feds accessing imessage data via icloud backups, not by injecting keys to tap into conversations.
Using an “audited” app like signal on an iPhone still requires you to trust apple, because they could replace a library signal depends upon or they could just replace the whole app and you wouldn’t know. I also don’t know the extent to which we can verify that the app we get from the App Store is actually the audited version. I’ve always imagined signal could have secret code that gets included at compile time for certain platforms that could make it more vulnerable.
If we controlled all the code on our device and we could build the open source app ourselves that would go a long way. Otherwise you still have no choice but to trust your OS provider.
> You basically should never trust Apple / Google / Microsoft / Amazon / etc to handle your private information... ever. Use audited open-source messaging apps.
Nonsense. Understanding one’s own threat model is critical to deciding the acceptable amount of trust to place in these companies, but black and white thinking helps no one.
So could literally anyone who writes and distributes end-point software that encrypts and/or decrypts content (or hosts software that does) - including operating systems, browsers, e2e messaging apps, password managers, VPN clients, etc.
I believe solving this problem is the crux of the next major breakthrough (if it ever comes) in privacy and personal security. I'm not even sure a solution exists, but a lot can happen when smart people put their heads together on a seemingly intractable problem.
