Hacker News new | ask | show | jobs
by modeless 2274 days ago
> That is true of any end-to-end solution.

Utterly false. Real end-to-end encryption would encrypt the backup with a key that is not available to the backup service (e.g. derived from a passphrase not sent to the server).

Of course this system has better usability, which is why Apple does it. But it's still a farce to call a system where Apple has the ability to decrypt the majority of messages "end-to-end" encrypted. The fact that it's through the backup servers instead of the iMessage servers makes no difference.

What's more, it's possible to do better without sacrificing usability. For several years Android has been end-to-end encrypting backups using the user's lock screen passcode, with protection against brute force attacks provided by hardware secure elements. https://security.googleblog.com/2018/10/google-and-android-h...
1 comments
Dylan16807 2274 days ago
> The fact that it's through the backup servers instead of the iMessage servers makes no difference.

It makes a big difference. If I print out the texts I receive, it doesn't change whether the texting program is end-to-end encrypted. The same goes for backups. An unencrypted system-level backup doesn't mean that the program being backed up is failing at security.

It's bad that Apple doesn't let you encrypt your backups properly, but it's a separate issue.

link
modeless 2274 days ago
What if the texting program has a built in feature to print the texts you receive and mail a copy to the company that wrote the program, and it nags you to enable this feature all the time, and most of your friends have it enabled? Because that's a lot closer to the scenario here.

> An unencrypted system-level backup doesn't mean that the program being backed up is failing at security.

iOS programs can choose how their data is backed up. iMessage isn't just getting its data stolen by iCloud accidentally. These backups are a feature of iMessage as much as iCloud. And besides, iCloud is made by the same company, it's not a separate entity.

link
Dylan16807 2274 days ago
iMessage itself bugs you to enable backups?

> iOS programs choose how their data is backed up.

Well desktop apps don't. Would you say that no desktop app that saves its key can ever qualify as end-to-end encrypted?

> And besides, iCloud is made by the same company, it's not a separate entity.

I'm not convinced that's relevant to whether the encryption is end-to-end or not.

link
modeless 2274 days ago
> Would you say that no desktop app that saves its key can ever qualify as end-to-end encrypted?

I would say that no app can qualify as end-to-end encrypted if a large fraction of users send their data to the maker of the app in a form that can be decrypted by the maker of the app, regardless of the reason.

link
Dylan16807 2274 days ago
If iMessage was made by a third party and worked exactly the same then you'd have no objection to calling it end-to-end encrypted?
link
modeless 2274 days ago
No. This is a necessary condition for being end-to-end encrypted, not a sufficient one. But iMessage doesn't meet it.
link