Yeah, she’s grown used to, but not fond of, me installing buggy alpha or beta software on her phone. The promise of non potato quality pictures from her family was going to be the selling point :/
A summary of what I think is the primary issue with iMessage security that most people can easily understand (I’ve quoted this from another commenter, this is in the article):
iMessage uses RSA instead of Diffie-Hellman. This means there is no forward secrecy. If the endpoint is compromised at any point, it allows the adversary who has
a) been collecting messages in transit from the backbone,
or
b) in cases where clients talk to server over forward secret connection, who has been collecting messages from the IM server
to retroactively decrypt all messages encrypted with the corresponding RSA private key. With iMessage the RSA key lasts practically forever, so one key can decrypt years worth of communication.
I’ve often heard people say “you’re wrong, iMessage uses unique per-message key and AES which is unbreakable!” Both of these are true, but the unique AES-key is delivered right next to the message, encrypted with the public RSA-key. It’s like transport of safe where the key to that safe sits in a glass box that’s strapped against the safe.
**BearOfATime Comment: **This lack of Forward Secrecy alone is enough to say iMessage is nowhere as secure as we’ve been lead to believe. The delivery of the AES key with the AES-encrypted message but the package encrypted with RSA that virtually never changes is so blindingly flawed. This setup makes the AES encryption pointless, if you’re going to package the key with it. Because once the RSA is broken/acquired, they have the AES key for the message (and ALL messages)!
The concern over the RSA key length is a bit premature, I’d say it’s more of a future concern that Apple is probably working on.
The other issues (unchanging identifiers, for example) are a valid concern. Something I’ve seen other apps take into consideration (Signal, Briar, SimpleX Chat).
The dev has always been pretty open. The published a self-hostable version of Beeper Cloud on github, and the dev published some docs on how iMessage works, how their implementation of ANP works, etc. Like detailed docs that are frankly above my pay grade.
I’ve been using it for a few days and was going to put it on my wife’s phone tonight. Maybe the next one won’t be so well publicized.
Whoa. That is way too short of a trial for migrating something new to the wifephone.
Don’t forget to cancel your subscription!
Yeah, she’s grown used to, but not fond of, me installing buggy alpha or beta software on her phone. The promise of non potato quality pictures from her family was going to be the selling point :/
I tried it yesterday, it still has some growing pains (had some trouble getting it to connect).
Going to keep watching though, for a new app it looks pretty good, fluid, well designed from a UI standpoint.
Given the dev was able to reverse-engineer Apple’s ANP (equivalent to Google’s GCM), build an app, backend, etc, it should be fun to watch.
It’s also generating a conversation around the misperception of iMessage being perfectly secure, and how SMS downgrades iMessage to not secure at all.
Hacker News story about the lack of Forward Secrecy and other concerns: https://news.ycombinator.com/item?id=38537444
A summary of what I think is the primary issue with iMessage security that most people can easily understand (I’ve quoted this from another commenter, this is in the article):
**BearOfATime Comment: **This lack of Forward Secrecy alone is enough to say iMessage is nowhere as secure as we’ve been lead to believe. The delivery of the AES key with the AES-encrypted message but the package encrypted with RSA that virtually never changes is so blindingly flawed. This setup makes the AES encryption pointless, if you’re going to package the key with it. Because once the RSA is broken/acquired, they have the AES key for the message (and ALL messages)!
The concern over the RSA key length is a bit premature, I’d say it’s more of a future concern that Apple is probably working on.
The other issues (unchanging identifiers, for example) are a valid concern. Something I’ve seen other apps take into consideration (Signal, Briar, SimpleX Chat).
If they don’t publicize, they won’t make any money.
The dev has always been pretty open. The published a self-hostable version of Beeper Cloud on github, and the dev published some docs on how iMessage works, how their implementation of ANP works, etc. Like detailed docs that are frankly above my pay grade.
The iptv guys seem to do alright and they stay out of the limelight.