You had me at "public key"
Apple accused over 'secure' iMessage encryption
A security researcher has suggested that Apple's claim that its iMessage app is spook-proof and secure does not stand up to scrutiny. Cyril Cattiaux, who works at the research firm QuarksLab, made his claims during a speech to the Hack in the Box conference, which were quoted by PC World – the tech news site, rather than the …
-
-
Monday 21st October 2013 15:01 GMT Anonymous Coward
> for a much more complete and accurate story see
Hmm... I fail to see how the story on that link was "much more complete and accurate" than this one. They repeat essentially the same content.
On the other hand, if you think El Reg's comments section is full of cluelessness, you only have to head over to that site to see how much worse things could be. :-(
-
Monday 21st October 2013 16:20 GMT JohnG
"Apple accused and apple responded..."
Apple implied that interception would require a redesign of their imessage system, where they actually only need to send updated certificates. They then send "they had no plans to do this", which is not the same as "this is not possible". Their plans could be changed by a court order.
-
-
Monday 21st October 2013 12:53 GMT andreas koch
Whatever . . .
it's iMessage. Where's the need for HQ encryption? To make sure that Tracy doesn't find out that Sharon has told Lauren that she's given Trevor Clamydia and that she should go and pick up another dose of Doxycycline for herself and her other boyfriends [imagine randomly intersecting Venn diagramm here]?
Her older sister will spread the news to her mates in year 8 in school anyway . . .
-
Monday 21st October 2013 15:21 GMT andreas koch
Re: Whatever . . .
All the downvoters use iMessage now because they found out during the London Riots that BBMessenger wasn't all that secure and that JD Sports suddenly wanted those Nikes back.
Won't be different with Apple. Be careful!
-
-
-
Monday 21st October 2013 16:04 GMT David Walker
Wow non-news
Every software company producing software that requires admin privileges to install and uses cloud services can potentially create opportunities for man-in-the-middle attacks. Even the suggestion of local public keys isn't an answer. These can be compromised since the overall system/application architecture is controlled by Apple, MS, Adobe etc - and with sufficient political and legal pressure these companies can be made to implement measures. ISPs can be compelled to keep logs of transmissions (with or without knowledge of content) at any time. I don't trust any company that says its cipher solution is completely secure. Lastly, current SSL implementations may already be broken - in that event cooperation of Apple et al is superfluous. The real issue here is not Apple's ability or not to access iMessage it is the complete intrusion of governments in the secure free exchange of ideas - all under the premise of public "safety". Russia created the KGB almost 70 years ago to spy on "subversives" but ran out of money - the US just found a cheaper way to implement those policies.
-
Monday 21st October 2013 17:49 GMT chris lively
The NSA can force a company to categorically state they are NOT supplying data to the government, even when they absolutely are. In order to comply with such orders a company not only can say that no one can snoop on their security but is essentially forced to make those statements.
Apple itself could very well be telling the truth that they have not developed plans to snoop, while letting the NSA develop those plans for them.
Point is: you can't trust any statements about the security of data made by any company doing business in the US. Instead, you just have to assume that whatever you send is being monitored and stored for future reference. The only real question is whether non state actors can get to it.
-
Monday 21st October 2013 18:55 GMT Peter 39
too harsh
>The NSA can force a company to categorically state they are NOT supplying data to the government, even when they absolutely are.
Not true.
>Point is: you can't trust any statements about the security of data made by any company doing business in the US.
Again, not true. Companies might not be able to tell you the whole truth. But they cannot be compelled to tell lies.
>Instead, you just have to assume that whatever you send is being monitored and stored for future reference.
Goes for GCHQ too, I might add. And, it's just good security practice.
-
-
Tuesday 22nd October 2013 01:19 GMT Anonymous Coward
The real point here...
The real point is that (yet again) yet another company (that should know better) is claiming that their products are secure when the law (let alone its secret amendments) clearly state that all customer data transmitted by it is open to whomever successfully claims they have the power) to demand it.
IOW, that they are lying, because once the data is transferred over compromised systems (such as those run by so many Government agencies), let alone cross referenced, indexed and filtered. if it is of any value anywhere, it may as well be considered public.