Author isn't very clever about crypto attacks.<p>Sending device grabs all of the recipients public keys (as well as all of their own keys for other devices, which allows the conversation to be replicated on all of their own devices as well) hosted by Apple. Sending device <i>has no way to verify those keys belong to the intended recipient</i>. User has no way to verify which, or how many devices they are sending to. User doesn't even know if the recipient is mysteriously using a different key that has never been seen before. Sending device does not display any information about how many keys it grabs.<p>Apple wants to read your messages? They drop one of their public keys in the list. Apple gets a warrant? They drop the FBI's key in the list. You'll never know that you're CCing the FBI device keys on all of your messages.<p>What's more, is these keys are provided by Apple over TLS without certificate pinning. So now anyone who can mint certificates from a CA trusted by the device can just assume Apple's position. You don't need to hack or legally compel Apple in order to eavesdrop.<p>If your iDevice is managed by your company IT department, it can be silently fed a certificate without compromising a CA.[1]<p>Finally, if you did not apply the goto fail update a few days ago, it's trivial to break that TLS channel and also "misconfigure" those keys. That hole has been there since September 19, 2012, by the way.<p>Basically, iMessage has been securing you against someone who knows how to run wireshark or tcpdump, but not much else.<p>[1] <a href="http://blog.quarkslab.com/imessage-privacy.html" rel="nofollow">http://blog.quarkslab.com/imessage-privacy.html</a>
It's worth re-reading this post by Matthew Green, "Can Apple read your iMessages?" [1]<p>For one, if you back up your device with iCloud, then yes, Apple can read your iMessages. This has been verified by experiment.<p>Second, Apple operates a central directory of iMessage public keys mapped to accounts, and this enables various kinds of MiTM attacks. Contrast this with the way TextSecure / RedPhone does contact discovery using blinded signature queries [2].<p>Third, iMessage and iOS are closed source. Ultimately, closed source can do whatever the heck it wants. Not just what they're telling you it does.<p>All the same, we now have some new details on iMessage from Apple [3], and I'm looking forward to hearing the crypto experts pick it apart.<p>[1] <a href="http://blog.cryptographyengineering.com/2013/06/can-apple-read-your-imessages.html" rel="nofollow">http://blog.cryptographyengineering.com/2013/06/can-apple-re...</a><p>[2] <a href="https://whispersystems.org/blog/contact-discovery/" rel="nofollow">https://whispersystems.org/blog/contact-discovery/</a><p>[3] <a href="http://images.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf" rel="nofollow">http://images.apple.com/iphone/business/docs/iOS_Security_Fe...</a>
The way Apple could "read" the messages is by sending a keybag down to the person sending the messages with another public key, one that Apple holds the private key for.<p>For example if you have 3 devices (iPhone, iPad, MBP) and someone goes to send you a message, they have to re-encrypt the message three times because Apple would have sent them three public keys.<p>Now if Apple were evil because of a government order, they could send down four public keys, the three ones for the devices you own, and the one public key that Apple has the private key for. At that point once they receive the message they can read it.<p>Any system that distributes public keys like this can be compromised the same way.<p>---<p>The only real way to stop something like this is to make sure that the person you are talking to holds the keys, OTR does this for example by allowing both parties to verify the fingerprint...
<i>Unless Apple is omitting something or there’s some backdoor tucked into their many-layers-deep encryption (which, while unlikely, isn’t inconceivable) they really can’t read your iMessages without a fairly insane amount of effort.</i><p>That is, assuming, that there isn't some code in the app that allows Apple to request that the app send your private key up to the server. It's conceivable that in order to comply with law enforcement, for example, that Apple could just tell the app to send up your private key so that it can decrypt any message they have stored.<p>There's also no way to verify that your messages have, in fact, been removed from their services.
Obviously this system has limitations and entirely relies on your ability to trust Apple. But there's quite a few things to consider here:<p>* Text messages and most other chat protocols require that you trust multiple hardware vendors, multiple software vendors, and multiple telcos. By comparison, iMessage only requires that you trust a single company, Apple.<p>* As long as the operating system and messaging software is closed source, it would be impossible to eliminate the requirement to trust Apple anyway. If you really need serious security, you shouldn't be relying on any closed source third party systems, period.<p>* This is about as secure as it could ever get without requiring users to be educated about security principles. Given that iMessage is foremost a seamless alternative to text messages, it's difficult to imagine how they could make it more secure without compromising utility.<p>* The implementation details mean that any Government snooping must be done with Apple's knowledge, and will require the blessing of Apple's legal department. This might not be a particularly high bar to cross, but it does mean that Governments aren't running rampant, analyzing every message sent.<p>* The United States government isn't the only bad actor out there. The level of security appears to be extremely good against entities that hold no sway with Apple's legal team. It's also presumably impervious to a hostile network, or hostile foreign governments.
The whole document was an interesting read.<p><a href="http://images.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf" rel="nofollow">http://images.apple.com/iphone/business/docs/iOS_Security_Fe...</a>
If all that is true, it sounds perfectly secure against anyone other than Apple and whatever law enforcement agencies they comply with requests from.<p>So, you know, really not secure at all.
More so that its rivals, Apple has consistently put forth a greater effort to explain their technology to its customers. Apple has remained keen to point out the difficulties of hardware and software development. Perhaps this is one reason why people outside of the technology sector perceive Apple products as superior. People think Apple has gone the extra mile.
As mentioned in other comments, you have to trust Apple to hand you the correct public keys. They could easily MITM you and decrypt the messages on the server if they misrepresent the other party's public key. Additionally, the iMessages you send are signed by your private key, which is probably not something you want.
Coming from a background of using cryptography regularly (far from an advanced user), this revelation seems... Not surprising. It's practically the equivalent of using SSL for viewing webpages. I say practically because for some mind boggling reason, using standard crypto practices seems to be novel for messaging services on the Internet.
They don't have to have your private key to pull off a MITM.<p>In reality, it is probably secure enough against most adversaries. State level adversaries is a different story.. That you need OTR and key verification in person.
And if Apple's servers lie to you and tell you there's a device with a private key they generated?<p>They may never have your private key, but you are still trusting them to deliver the correct public keys to other users.
Everyone needs to start caring a lot more about verification and authenticity of keys (even public keys). iMessage anchors all trust in Apple Inc. with no means to verify that you're public key has not been swapped.<p>If you can't verify and pin keys, then assume there is no encryption.
Can't they man in the middle the encryption? If there's a key exchange, how do clients verify the keys they get are legitimate? SSL/TLS uses trusted authorities to verify the public key.
The combination of dislike for Apple and paranoia in this thread makes for a pretty potent combination. Every communication channel has it's flaws. Once upon a time, the post office was opening mail to read it, or wiretaps on telegrams and telephones. Now, it's iMessage. Every channel has potential exploitations, and if you can't agree with the ones that a channel comes with, don't use it. iMessage is optional. SMS is optional. Don't open your mail. Whatever.
What would be more interesting to me would be a comparison between the security of the iMessage protocol and similar competing facilities like SMS and Google Hangouts.
Apple is able to do this today because instant message services not (yet) covered under CALEA. ( Carrier assistance for Law enforcement agencies.) If CALEA is updated to include instant messaging services, Apple would be legally obligated to have a method of intercepting these messages, possibly with a separate public key as discussed in other comments.
Apple could mitigate most of the security concerns listed in this thread by listing the trusted devices which you're encrypting against. This solves the "extra encryption key" angle. You'd still have to trust your recipient to be just as mindful of this as you to prevent the vulnerability in the other direction though.
Excuse me if this sounds ignorant as I am not a security expert, but isn't there a flaw in using a public key for continuous messaging? Shouldn't public-private key crypto be used only to generate a symmetrical key? The system was originally designed for symmetrical key exchange no? Using it this way presents some flaw?
I read that a lot of the comments are related to key exchange.<p>Just wanted to mention that there is a possibility to key verification over sms. An sms can even be used for a temporary key for encrypting the key transfer.
That sounds great and super secure, but all I wanted was a single line goto statement fixed asap. Took forever and basically made my phone, tablet, personal laptop and gifts I gave for Christmas insecure for a long time.
Much better than I expected, it may not be perfect but it seems like the most secure of the mainstream chat services. I would love to also have seen forward security but that's asking for quite a bit.
This is great security for what it is. Probably enough to keep you 98% secure.<p>Which is still exactly 0% secure as far as I'm concerned.<p>All in all though - in general - I'll be more than happy to continue using iMessage and feel at peace. As a general rule, however, never send anything electronically that may screw you over later.