Hacker News new | ask | show | jobs
by modeless 2274 days ago
Most people use iCloud backup. Even if you don't, your messages are still sent to Apple by the recipient. And Apple prohibits third party backup services.

> Apple does not have the ability to read your messages.

iCloud backup is an Apple service and it has the ability to read most of your messages even if you don't use it, which makes this statement categorically false.
1 comments
peteretep 2274 days ago
This is completely ridiculous. iMessage is encrypted by my device and remains encrypted until it gets to the recipient device. That is what end-to-end encryption means.

That I may have given Apple my private key through a different message in no way affects that end-to-end encryption, because it is trivial to decide not to give Apple that key.

link
modeless 2274 days ago
iCloud isn't some separate entity from iMessage. It's all Apple. And you have no option to use a different cloud backup provider.

You can decide not to give your keys to Apple, but you can't decide for all your friends to not give their keys to Apple, and the result is the same: Apple can read your messages.

And the marketing is so misleading that hardly anyone knows that Apple can read most iMessages.

link
peteretep 2274 days ago
Sorry, let's be explicit here, as you seem intent on muddying the issue. Where, other than the endpoints, is the message decrypted when people use iMessage? Your succinct answer to that will clear this up for everyone.
link
lern_too_spel 2274 days ago
On GCBD's servers in China. Possibly on Apple's servers in the US if they are running a wiretap. Due to the way key distribution works for iMessage, it is trivial for Apple and GCBD to do so.

https://news.ycombinator.com/item?id=22755903

link
peteretep 2274 days ago
Your message, through several layers of indirection, relies on a security conference paper from 7 years ago[0] + the assumption that Apple haven't updated the protocol in 7 those years.

[0] https://blog.quarkslab.com/imessage-privacy.html

link
lern_too_spel 2273 days ago
No, my message relies on the fact that people have been looking at iMessage for years, and nobody, least of all Apple, has said that the implementation changed in any way to prevent Apple from viewing the messages.

Here is another article from 2016, which shows that Apple patched iMessage to prevent attackers who don't have access to Apple's servers from reading the messages but still kept the ability to read the messages themselves. https://blog.cryptographyengineering.com/category/imessage/

Apple was aware that people knew it could decrypt iMessage messages this entire time, but Apple made no changes that would fix that. That should give you some idea of whether Apple intends to ever fix that.

link
giantDinosaur 2274 days ago
Apple can, of course, do whatever it likes, up to simply recording the screen and sending that to weird & wonderful government agencies. Like almost everything in mainstream security, it comes down to who you trust. It doesn't mean it isn't E2E though.
link
lern_too_spel 2273 days ago
> It doesn't mean it isn't E2E though.

E2E encryption simply means that messages are only decrypted at the endpoints. That certainly isn't true of iMessage in China, and it might not even be true for some users in the US — we have no way of knowing because the protocol makes no guarantee against it.

link
modeless 2273 days ago
I have linked it several times in this thread. Here it is again:

"If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages. This ensures you can recover your Messages if you lose access to iCloud Keychain and your trusted devices."

https://support.apple.com/en-us/HT202303

link
peteretep 2273 days ago
Sorry, and where exactly outside the endpoints are the messages being decrypted?
link
modeless 2273 days ago
Only Apple can know exactly when or where or how often they decrypt people's messages from their backups, because once they have the keys they have the means to do it at any place and time, for any reason, without anyone's knowledge or consent.

What we know is that they can and do decrypt iMessages from iCloud backups in response to law enforcement requests[1]. This proves that they hold the keys, if their own support pages weren't enough evidence for you.

[1] https://www.reuters.com/article/us-apple-fbi-icloud-exclusiv...

link
jachee 2274 days ago
Got any sources for that? Sounds a lot like FUD.
link
modeless 2274 days ago
"If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages. This ensures you can recover your Messages if you lose access to iCloud Keychain and your trusted devices."

https://support.apple.com/en-us/HT202303

link
minitech 2274 days ago
Sarcasm critique: I think a quote would make it clearer:

> > iCloud isn't some separate entity from iMessage. It's all Apple.

> Got any sources for that? Sounds a lot like FUD.

link
jachee 2274 days ago
Not sarcasm. Sources please.
link
chews 2274 days ago
Let's not use sarcasm or sources..... Let's puzzle it out.

You don't use a password to encrypt your iCloud backups... They're specific to the hardware your backing up. If you have an itouch for example it's backups are separate from your phone.

So now you have these backups in the cloud and you lose your iPhone, you remote wipe it.

Now your new one arrives and you restore from backup... Your iMessage private keys are available to apple unencrypted .... Because you didn't need to provide a second factor of authentication for unlocking the backup you were just asked which one to use.

Apple and any reputable nation-state can read your iMessages with a subpoena ... If you use iCloud backups and not local backups with a password.

link