[upofadown]

Perhaps as that was based on random internet comments. FaceTime still ends up at level 2 with Zoom and the rest because Apple can MITM the traffic without much trouble. There is no provision for the user to prevent/detect a MITM attack in FaceTime or iMessage.

[xtian]

So you’re saying there should be a three-level consumer standard where the third level excludes any possible consumer product? Please don’t pretend that Apple and Zoom’s approaches are equivalent here. There is a substantial difference that deserves to be acknowledged. Anyone whose threat model includes Apple subverting their own security architecture shouldn’t be using any communication platforms.

[upofadown]

There is nothing wrong with allowing a consumer to verify that they are talking to who they think they are talking to. Is Signal a consumer product?

Zoom specifically states that they do not have access to session keys. Apple doesn't even make such a statement.

[xtian]

What prevents Signal from MITMing their app?

[upofadown]

The way everyone else does it. The user can verify the key fingerprint. Signal calls it the safety number.

[xtian]

Why couldn’t they just change the client code to exfiltrate the user’s data?