Do note "readily available to consumers". XMPP never reached a level of polish outside being embedded in part-proprietary solutions that it'd be available to your average user, not to even talk about OTR.
You are arguing that a $600+ phone for yourself and all your friends is more "readily available to consumers" than a $0 downloadable open source open standard software with multiple clients available? Two-thirds of the world population live on less than $10 a day. You are living in quite the bubble. XMPP is way more "readily available to consumers" on world average.
I’m not sure I’m understanding you. Are you arguing that more ordinary consumers have and are using XMPP than are using iPhones, or are you arguing that in theory they could and therefore.... something. I’m just wondering what proportion of those people on $10 a day are happy XMPP users.
There’s a serious point here. Highly technical, bare bones infrastructure componentry like this isn’t actually free to use. It requires that the user have an extensive set of incredibly valuable skills that are very expensive to acquire. In fact I’d argue the skills needed to understand and effectively use a solution like this from scratch, including setting up and running a server, cost a heck of a lot more than $600. That’s aside from the opportunity cost of learning all that, and setting up and running a server.
Maybe in direct comparison to iMessage and considering only economic factors of "availability". Ease of use and how easily your contacts adapt a messenger are far more important factors to your average consumer. If you really want to argue economics, it's hard to argue with any of the other free messengers (Signal, Telegram, WhatsApp, etc.) over XMPP.
Gtalk was polished enough. It didn't have OTR built in, but majority of users don't really need end to end encryption anyway, it only makes their life not good.
Also, iMessage never reached a level of polish to work on anything not produced by Apple. If we're taking proprietary vendor specific secure services, Blackberry did it before Apple, too. So, definitely not the first and not the only.
E2E encryption is mostly for people whose lives are already not good. It only works to help those people, though, if enough “civilian” traffic is also using it that any ISP blocking it would be considered to be breaking the Internet.
BBM was not E2E encrypted. BlackBerry always retained the capability to read your message traffic. Apple does not.
Well, I'm not _that_ familiar with BBM since it was never available in my country.
But what makes you think Apple can't read your messages? Do you have any encryption keys that you share between devices? Or you just enter login/password on a new device and voilà all your messages are displayed to you? If that is so, I guess I'll have to tell you something...
Anyway. Last time I checked, iMessage apps source code was not available, you can't verify fingerprints of your contacts in iMessage, so... how do you know Apple doesn't insert a very simple MitM agent that does e2ee both for your and your chat partner, having all messages nicely decrypted in the middle?
So far it looks like the only thing that makes you think Apple can't do that is because they pinky promised this to you. Sorry.
> Do you have any encryption keys that you share between devices? Or you just enter login/password on a new device and voilà all your messages are displayed to you?
You should really look more into the iMessage encryption scheme before attempting to fear-monger about it. The approach it uses to multi-device encryption is well known[1][2], and is basically its entire innovation over other clients—an approach that every other piece of E2E-encrypted chat software has been encouraged heavily to copy, but for some reason none yet have. (WhatsApp specifically is often ridiculed for its requirement to route all your messages through a "primary device", which feels like going back in time after experiencing iMessage's approach.)
To save you the trouble of looking it up: you don't "log into iMessage." There's no such thing as a central "iMessage account." Instead, in iMessage, your devices synchronize state with one-another by participating in an ad-hoc group based on a shared "key bag" of all your devices' private iMessage signing keys.
When you get a new device and want to join it to this existing group, it sends out a signed request on an announce channel corresponding to your iCloud identity, requesting that another device in the group "invite" it to the group. From the user's perspective, this appears as their new device telling them that the iMessage sign-on needs to be confirmed on an existing device; and a modal popping up on all their existing devices, asking whether they want to accept the new device's join request.
If the user confirms the join request, then the existing device the user confirmed on will take its own iMessage keybag, encrypt it with the new device's public key, and send it to the new device. This will then allow the new device to securely "introduce itself" to the rest of the group.
Throughout this process, no key material ever travels unencrypted through Apple's servers. Apple can't recover your iMessage keys; nor are Apple's servers an implicit "participant" of your iMessage sync group. iMessage's cloud backend is, during this pairing process, just a dumb message-queue system between your client devices, one that sees only opaque encrypted messages.
(Note that this also means that it's totally possible to get "locked out of" your iMessage sync-group if you lose access to all your existing devices. This is usually fine, because 1. iMessage clients won't sync history from before a new device joined the group with that new device, so you're not losing access to anything you had any potential to recover anyway; and 2. you can make a new sync-group under an existing iCloud identity/phone number/IMEI/etc., because none of those visible identifiers are the primary key of the sync-group. The sync group has no primary key. It's not a central "entity" with an identifier. It's a mesh, that happens to be reachable through identifiers it registers to—sort of like softphone apps registering a DID number. But those actively-registered aliases aren't a means of security, nor recovery.)
> Last time I checked, iMessage apps source code was not available
People interested in messaging security don't tend to trust source code even if it is available. Unless the build process is deterministic and replicable by the researcher themselves—to produce exactly the artifact distributed by the store—then who knows what of the published source actually makes it into the published binary, and/or what-all else ends up in there as well. (Would you trust Chrome [the binary] just because Chromium is open-source? Would you trust macOS [the binary distribution] just because the XNU kernel and BSD userland are open-source?)
Instead, security researchers dump packet captures and analyze them.
And, in this case, those packet dumps reveal that iMessage does... exactly what is stated above.
Ok it's a good wall of text. Apple does copy keys from one device to another. Let's trust (again) that they absolutely have no mechanism to intercept your password and do whatever they want with your data.
Just a simple question. How do you know that when you connect to me over iMessage using state-of-the-art / end-to-end-encryption / made-from-carbon-free-alumeenium (sorry for that one), there is no man in the middle?
With this architecture without visible fingerprints, installing a MitM proxy that would relay data between two separate e2ee chats is not a problem at all:
You <-- e2ee chat --> MitM proxy <-- e2ee chat --> Me
UPD: ok, I get it that you downvoters don't have an answer to simple question and are just disturbed about the fact that security that was promised to you turned out to be just a security theater.
> Apple does copy keys from one device to another.
No, iMessage does that. That's no more "Apple" doing that, than the functioning of a copy of gpg that you installed from Ubuntu's apt repo would be the GNU Foundation or Canonical Inc. "doing that." The client is in ultimate control. Someone wrote that program, but now you have it, and you get to say what it does or doesn't do (if by nothing else than by choosing whether to run it.) The iMessage servers can't make the client do something that's not part of its executable.
You downloaded, and now have, the software—a collection of bits with a fixed function—on your device. You can do what you like to verify those bits, and then either trust them, or not; but either way they're not going to suddenly change out from under you without your consent (which you might supply implicitly by turning on auto-update, but you don't have to do that either.)
When entities like the US Navy use cryptosystems like Tor, they're not blindly installing it from the web, trusting the theoretical guarantees it makes; they're ensuring security in practice by isolating a specific version-under-test, static- and runtime-analyzing the binary to ensure it meets their needs, and then declaring that exact binary good and trustworthy, and giving operatives simple tools to acquire and validate that exact binary.
If you're paranoid, you do nothing less. But nothing about getting iMessage as part of your iPhone's OS stops you from doing any of that. You just take apart the IPSW it ships in, and throw it iMessage.ipa into Ghidra. Once you've verified it, you can say "the version of iMessage that ships in iOS with hash 0xXYZ, is known-good, and can be used for low-security comms."
> Let's trust (again) that they absolutely have no mechanism to intercept your password and do whatever they want with your data.
No, let's trust-but-verify that the binaries are E2E-encrypting the key-sharing process. Then there cannot be a man in the middle.
Also, as I said previously, you never "log into" iMessage, and so you don't have an iMessage "password" per se. iMessage uses your iCloud username to discover the device-group to attempt to join, but it doesn't use your iCloud account to authenticate to that group in any way. Instead, you're basically doing a https://en.wikipedia.org/wiki/Key_signing_party with yourself, manually pairing your devices with each-other through challenge-response. (This turns out to actually be a convenient kind of key-signing party—and so probably the only time key-signing parties are relevant in practice.)
In the design of the iMessage key-sharing process, the iMessage servers could be replaced with an ephemeral channel on a public IRC server, and the semantics—including the security guarantees—would remain the same. The servers only see—and pass along—opaque, encrypted blobs.
> How do you know that when you connect to me over iMessage using state-of-the-art / end-to-end-encryption / made-from-carbon-free-alumeenium (sorry for that one), there is no man in the middle?
You're moving the goalposts; intra-account multi-device key sharing, and inter-account key exchange, are separate concerns.
What you are asking about is the Fundamental Problem of Key Exchange. And the answers are as they have always been: you either do a key-signing party; or you choose a Central Authority to trust to act as a directory mapping identities to public keys (and then maybe use that key to do a challenge-response identification process with out-of-band signaling elements.)
iMessage solves key sharing better than other messaging services. Nothing[1] really "solves" key exchange any better than anything else.
[1] Except maybe Keybase, but Keybase's unique shape—an identity-aggregating service—is a necessary element of that solution. No chat service can do what Keybase does without getting into the business that Keybase is in.
Actually, I'm not. See the post above, you claimed "BlackBerry always retained the capability to read your message traffic. Apple does not." [1], and I was responding to just that: Apple can read your message traffic. You yourself have proved it in the above reply: iMessage neither allows key-signing (nor even key verification, I must add!), and the Central Authority iMessage users have to trust are Apple themselves. It also has supreme control over all updates that are shipped to your phone, so even if someone does decompile and verify his build of iMessage, it doesn't mean that the targeted user was shipped the same version at all. So let's agree to put to rest your claim that Apple can't read your messages, OK? (note, I don't claim that it does, just that it can)
Now, being NOT paranoid, I'm actually not angry at it, not in the slightest. The downsides of a real privacy and security have a very serious and negative impact on user experience, so for most users the simple capability to sync all their messages from a central server (like Telegram does, "the most secure messenger", hahaha) far outweighs the dangers of being spied upon.
What irks me is the sheepish trust that people place on people who promise them "don't worry, you are super safe, without any downsides of real security, and people buy into it. The prime offender, of course, is Telegram, where users rarely, if ever, use the "Secret chats", but still think that they have the most protected messenger. Not concerning themselves that the features they like most (capability to access from the web, instant sync of messages on any device) comes from it being the least protected of any major messenger.
When you control your own server you kinda don't really need end to end encryption. It only enhances security when you don't trust the entity delivering your messages. It also degrades UX considerably: if the server does not know the contents of your message, it can't do server side archive search, you can't sync devices easily, etc.
> Apple seems to handle this pretty easily with great UX.
Sigh. This again. Ok.
If have end-to-end encryption, you can't read messages on newly connected devices, unless you somehow pass encryption keys to your new device.
If you do not pass keys between devices, and can still read messages sent from other devices, you do not have end-to-end encryption.
If the only thing you put into device when connecting is your login/password, then even if Apple does retrieve keys from your device and passes it to new device, it can pass it to themselves and gain access to your super confidential messages.
So, no, Apple does not handle this pretty easily.
Source: our product has _real_ end-to-end encryption, and it gives the users a rather big amount of discomfort. If you are told you have really secure messenger, but you do not enter anything but your login/password, well, I've got bad news for you.
> Which is kind of the point of all these services.
If your point is privacy, and you really care about it, just run your own communication server for $2/month. You have all the niceties of server side search and device sync, and none of the pain in the ass that is brought by E2EE. And if your privacy isn't worth $2/month, then you probably don't need E2EE either.
According to docs and endless reporting on iMessage, the messages are end-to-end encrypted in transit. In addition to that, they are stored (optional) in your iCloud account, using a separate key, itself stored in iCloud Keychain (protected by 2FA), and this is how you recover them on a separate device. If you opt-out from iCloud backup the messages are not recoverable, can also set them to be erased after 30 days.
> it can pass it to themselves and gain access to your super confidential messages
They can also send your PIN, private keys, all logins and passwords to their own servers, or simply log chats from the system keyboard and UI or any of the OS layers they control. The same is true for any app running on iOS/Android. If you don't trust the OS there is no working around it in software.
> According to docs and endless reporting on iMessage, the messages are end-to-end encrypted in transit.
According to my rather brief examination of iMessage, you can't verify key fingerprints in iMessage. It means that Apple can install MitM on a probed subject any second, and you would never know that it is there. See:
You <-- end-to-end-encryption --> Apple MitM <-- end-to-end-encryption --> Your buddy
You have _zero_ control over it, and the only thing keeping your secure and private is Apple's pinky promise.
> The same is true for any app running on iOS/Android.
Umm, no. There are such things as open source, verifiable builds, and, yes, decentralized messaging protocols. You can take an open source client (for example, from a reputable source like F-droid), and connect to a server totally unrelated to client developer. You can run an encryption protocol where you can actually exchange public keys, verify your keys fingerprints, and confirm the identity of your chat partner. That's what people really concerned with privacy and security do. Others are satisfied with a promise that sounds good enough.
> the only thing keeping your secure and private is Apple's pinky promise
Indeed, that's what I meant in the last paragraph. It also means an open source, verified client, with fully secure encryption, is still powerless against the OS capturing keystrokes. You have to rely on that pinky promise either way unless you control the hardware.
That's true, that's why people who are _really_ paranoid buy special purged phones and flash their own builds of an OS. A friend of mine had a rather successful business selling people such phones.
Changing the goal posts? It was about usability of sync/search, now that's addressed, you've brought up the paranoid case of Apple registering an additional device (which only affects messages from on, forward, not the past, mind you, and it is an active attack that can possibly leave a trace if the sending party is looking at the traffic it originates). Sure there are challenges, and the whole point of designing a secure system is to balance various aspects of the system including usability and even politics so that in practice you maximize security for everyone. Apple's choice seems to have been a good one, and it deserves credit for bringing this much security to the masses at precisely zero cognitive burden to the user. Compare it to email, or other popular chat services, for example.
But yea, it is correct that you can always prove something cannot be done once you tighten up some mutually exclusive constraints. Question is how much it maps the real world and whether some cannot be loosened.
Where do you see changing goalposts? First, I started from the obvious truth that apple wasn't the first service that advertised itself as 'secure'. Then I addressed the popular technofetish about the e2ee: people kinda like to feel secure, but are rarely ready to accept all strings that come attached to real security & privacy.
You see, e2ee is only practical against the service provider that you have reasons not to trust. But if you don't trust Apple, then you should not trust it all the way to the bottom: and at the bottom we see that iMessage apps give a user zero control over said e2ee. You don't really know who decides your messages on another end: your chat partner or MitM proxy.
If you trust Apple that they do not have such proxy, you might as well trust them to not snoop on your chats and store them unencrypted on Apple's servers, saving you from a lot of problem worrying about your keys, devices, etc.
> Then I addressed the popular technofetish about the e2ee: people kinda like to feel secure, but are rarely ready to accept all strings that come attached to real security & privacy.
Yea, but most people don't think about security in terms of black and white, and neither should they. There is no such thing as "real security & privacy" and it's completely disingenuous to suggest that you've found it when it involves trusting you or your company as a third party in placement of, say, Apple.
> If you trust Apple that they do not have such proxy, you might as well trust them to not snoop on your chats and store them unencrypted on Apple's servers, saving you from a lot of problem worrying about your keys, devices, etc.
As a universal statement, this is far too simplistic of a comment about a system's security and trust. Security without a notion of threat model is quite irrelevant. There's quite a large spectrum between trusting Apple with respect to the binary they serve me not being actively malicious and by-and-large does what it says it does; that they are not actively presenting someone else's key to my chat parties, vs. trusting them with my unencrypted data on their servers. At the very least, the latter would not be safe under subpoena, or data leak, or a rouge employee, for instance. Plus, in practice, if they present a malicious binary to everyone or substitute keys, someone likely notices at Apple scale. If I am that interesting of a target for them that they decide to target me specifically, I have bigger worries, as I am trusting the OS and hardware anyway (and still, there's hopefully some level of forward secrecy). In fact, to me, and to vast majority of people, a random exploit in their OS or physical theft of the phone carries a higher risk than Apple directly attacking them.
So, no, I fully reject that iMessage security is substantially equivalent to say, "Facebook Messenger" (even if run by Apple). I posit the delta is almost as much as HTTPS with Let's Encrypt cert compared to plain HTTP. And yes, there are no doubt use-cases that iMessage is ill-suited for; doesn't mean we should just give up on it for the other 99%.
>It only enhances security when you don't trust the entity delivering your messages
Trust in entities is fleeting. You trust an entity today, you might not trust it tomorrow. End-to-end encryption, in contrast, is not fleeting, as long as you trust math.
XMPP servers are really good these days, you know. And, I repeat, if you run your own server, you don't really need e2ee, cause the only one who can access the DB with your messages is a server operator - yourself, i this case, and why would you protect you from yourself?
Also, if you are concerned about privacy, chances are, you are not a private individual and have specially trained people to install that server for you.
Then again, even if you DO need encryption to transmit a critical password or something, well, XMPP clients developers know their business (at least, some of them do), so it is unlikely that you'd be able to screw up something.
> And, I repeat, if you run your own server, you don't really need e2ee, cause the only one who can access the DB with your messages is a server operator - yourself, i this case, and why would you protect you from yourself?
The typical idea is being concerned that a state will physically seize your server—you know, real security and privacy concerns.
> Also, if you are concerned about privacy, chances are, you are not a private individual and have specially trained people to install that server for you.
Is this not ultimtely what iMessages is to people?
If you want real security, you minimize externalized trust. By running your own server you do not have to trust anyone but yourself. And if the server is your own, you don't even need e2ee because in the threat model against which e2ee is helpful the offender is server operator. Replace server operator with yourself, and you remove the need for e2ee.
Of course, if you want a cozy sense of being secure, instead of real security, you say, 'I use end-to-end encryption which I was told makes reading my messages impossible'. With iMessages you can't really verify if your messages are not being sniffed (unlike Signal, or XMPP, I must add), and we now have proven Apple DOES have a potential way to read your messages if they really want it. But you TRUST them not to read your messages. So why bother with E2EE at all, if you already trust them not to spy on you?
(Also, how come people who religiously insist on using an always-on E2EE for their chats are totally fine with Gmail which stores every mail totally unencrypted?)
There is no such thing as “real security”, only varying degrees of protection from a specific threat model. You’ve clearly gained a lot of confidence thinking about this specific threat model while neglecting a more general and useful way to engage in discussion about threat models.
Among other things, you don’t write all the software that goes on your computer, let alone build the hardware yourself, so you’re not “really” secure at all. And because you do claim “real security”, I can’t square your statements with any threat model I can imagine.
> XMPP servers are really good these days, you know.
I definitely would trust Apple more than a random "XMPP servers are really good these days you don't need e2e when you run your own" random commenter on the Internet.
Yup, apparently I should blindly trust you, a person who didn't even bother to read about iMessage architecture [1] even when it was spelled out for him. But yeah, tell me more how your own server is better.
