[shockeychap]

Apple has always bragged about iMessage content being end-to-end encrypted, and thus inaccessible even to Apple. Why aren't they doing the same with email and other files, like other providers? (ProtonMail, to name one example)

[bumbledraven]

modeless wrote here in Feb, 2021 (https://news.ycombinator.com/item?id=25778758) :

> It's also important to realize that the backup includes your encrypted iMessage messages, and the key required to decrypt them. Meaning that if you have backups enabled, all the "end-to-end" encryption in iMessage is defeated. Apple and by extension the FBI can read your messages. This is documented by Apple here: https://support.apple.com/en-us/HT202303

> Even if you disable backups, whenever you correspond with someone that has backups enabled those messages are still accessible to Apple.

[conradev]

[EDIT: I misread]

> Even if you disable backups, whenever you correspond with someone that has backups enabled those messages are still accessible to Apple.

That last bit is not true. From Apple’s security PDF:

> When Messages in iCloud is enabled, iMessage, Business Chat, text (SMS), and MMS messages are removed from the user’s existing iCloud Backup and are instead stored in an end-to-end encrypted CloudKit container for Messages. The user’s iCloud Backup retains a key to that container. If the user later disables iCloud Backup, that container’s key is rolled, the new key is stored only in iCloud Keychain (inaccessible to Apple and any third parties), and new data written to the container can’t be decrypted with the old container key.

https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/app...

[notafraudster]

The quoted parent says that if Adam sends a message to Bob, and Adam has backups off, but Bob has backups on, that Bob's copy of the message Adam sent is accessible to authorities.

[conradev]

I see! I misread

[mprovost]

Bob is one end of end-to-end.

[solaarphunk]

It’s worth noting that if you use iMessage for MacOS, all of your messages are stored unencrypted, in plain text, on your computer HD.

[ibigb]

I'd guess most macos systems (laptops) have encrypted hard drives.

[solaarphunk]

Yes, however if you use a company computer, those are typically logged by monitoring software and archived elsewhere.

[ric2b]

That protects you in the case of physical theft but not from any other program you run exfiltrating the data.

[ndeast]

I have long since switched to only doing local encrypted backups, but for some reason it never clicked that of course all of my messages are included in other people's backups. Frustrating that its E2E with a bunch of caveats.

[TeMPOraL]

E2EE only applies to data in transit, not data at rest. Talking via E2EE chat client means only that third parties in between cannot read what you write. It doesn't imply the messages cannot be recovered from your device, or your conversation partner's device, and it definitely does not imply said partner can't just leak them, whether accidentally or on purpose.

I'm not sure how E2EE came to be interpreted as to mean "totally secure against everything".

[iudqnolq]

I think it's the colloquial meaning of "end", as in "be all end all". I'd think something like "full in-transit encryption" or even "phone to phone" would be clearer.

[oneplane]

It's also how data collection still works if you personally 'block' it but communicate with others who don't.

Your messages, phone book, pictures you share with others etc. are still 'readable' on the remote end and thus still get collected. And if you connect the dots when you have a large collections your personal data can be reconstructed from that.

If you have persons A, B, C and D in your phone book, but your phone book is 'secret', it doesn't prevent someone from knowing that you know A to D if those still have you listed.

[esolyt]

> Apple has always bragged about iMessage content being end-to-end encrypted, and thus inaccessible even to Apple.

Majority of iPhone users have backup enabled so Apple can certainly access most iMessages.

[NorwegianDude]

And most people using iMessage is using it on iOS with basically zero control over the software it's running.

If Apple wanted to they could make your phone send them whatever they want.

It's end-to-end encryption* with an asteriks as Apple controls both ends.

[gok]

It is technically impossible to end-to-end encrypt email.

[__s]

Not technically. You'd just have to apply encryption at a higher level

Send email bodies encrypted to base64 along with a public key fingerprint, then receiver's client would decrypt if it had the private key for that fingerprint

But this isn't compelling enough to get a network effect to topple in-browser gmail

[kodah]

Common misconception. The three letter agencies do not really need to know the contents of your email body. They're much more interested in to/from, timestamps, and subject. Establishing that you communicate with a person and then getting their emails is much easier than playing with your encrypted email body.

[upofadown]

I think this is a common misconception of its own. The three letter agencies would love to be able to see the content of messages. But the code makers have run so far ahead of the code breakers that this is effectively impossible. So they settle for only meta information and tell the people that are funding them that this is now sufficient for them to continue to do their job.

[wolverine876]

What is this based on? How do you know their capabilities?

Per published reports, they (and others) have exploits for many things, including many cryptography implementations.

[freshair]

Exactly right. The American government considers associations inferred from this "metadata" to be sufficient evidence to execute people via drone.

[stjohnswarts]

Only foreigners and Americans on foreign soil

[megablast]

This is just such an obviously ridiculous statement.

[kodah]

Feel free to elaborate. This is fairly common knowledge if you Google parts of what makes ProtonMail (and others) susceptible to state actors.

[stjohnswarts]

You have a misconception yourself, and it shows. It depends on what they're after. If they want to see an individual's email then obviously they need to decrypt the body.

[PenguinCoder]

Base64 is an encoding, not encryption. But yes PGP or S/MIME encrypted email would work.

[iudqnolq]

Charitably, they mean take the whole message with headers, encrypt it, and base64 it so you can stick it in a body. Probably still a bad idea.

[joshuaissac]

This could work on top of GMail, with the help of a browser plugin.

[input_sh]

https://mailvelope.com/en

[upofadown]

People routinely do end to end encryption with email every day using either OpenPGP or S/MIME. Heck, email encryption is where the term "end to end encryption" came from. When someone claims E2EE for some other sort of messaging system they have to at least be as good at it as the email case to be taken seriously.

[wolverine876]

> People routinely do end to end encryption with email every day using either OpenPGP or S/MIME.

Those solutions encrypt only the content and not the headers, which are just as important. Also, encrypting the content prevents some webmail services from functioning, such as search.

Email can't really be made secure.

[dane-pgp]

> Those solutions encrypt only the content and not the headers, which are just as important.

There are implementations which encrypt the headers, for example Delta Chat, which says[0] in its FAQ:

'Many other e-mail headers, in particular the “Subject” header, are end-to-end-encryption protected, see also this upcoming IETF RFC.'

If you mean that the sender's server and the recipient's server can see the recipient's and sender's (respectively) addresses, then I would say that this is equivalent to most other "end to end encrypted" messaging apps, which usually rely on a trusted third party to connect the two ends.

In fact, I would argue that the situation with email is better, because although Alice and Bob's providers might know that they are communicating with each other, Carol's provider will have no record of this at all (and Alice and Bob may not know that Carol or her provider exists).

The situation with email could be made even better than that, though, since email servers could provide a dedicated "switchboard" address, such that Alice sends her email for Bob as an encrypted inner-message of an email sent to Bob's server's switchboard address. That way Alice's server wouldn't know who the intended recipient was, only their server address. Similarly Alice's server could rewrite the headers of her outer-message so that Bob's server doesn't know that Alice was the original sender. This would effectively implement a type of anonymous remailer.[1]

> encrypting the content prevents some webmail services from functioning, such as search.

You've shifted the goalposts here from "email can't be secure" to "webmail can't be secure". In any case, I disagree. It is possible to implement a client-side full text search[2], even if it means decrypting the index for every search, and re-encrypting the index whenever a new email is added to it.

[0] https://delta.chat/pt/help#how-does-delta-chat-protect-my-me...

[1] https://en.wikipedia.org/wiki/Anonymous_remailer

[2] https://lucaongaro.eu/blog/2019/01/30/minisearch-client-side...

[wolverine876]

This is bad advice, which could be dangerous for some. Look around for what actual security experts recommend: It's not email, and it's specifically to not use email. It's not a debate; it's universal afaik.

[upofadown]

The headers are mostly protected with the TLS used for the connections between the server and the clients and other servers. Email is no worse than most things these days and better than many.

* https://articles.59.ca/doku.php?id=em:anonemail

[wolverine876]

(see my response to the other comment, above; thanks)

[pyuser583]

Hmmm!? Most people use emails via cloud services. I don’t think Eudora is still a thing.

[upofadown]

But Thunderbird and Claws and Sylpheed and K-9 and Fairmail are things. There is Mailvelope for webmail.

[Denvercoder9]

PGP begs to differ.

[msbarnett]

Anyone who's worked on the PGP project would be the first to tell you that PGP does not and cannot encrypt the email's metadata (to/from, subject, timestamps, etc).

All PGP does is encrypt the inner message body. All of the metadata that TLAs love to analyze is sent in the clear (at best inside a TLS connection, although the SMTP protocol unfortunately makes it incredibly easy for well-positioned network attackers to downgrade these connections to in the clear)

[giantrobot]

While not a silver bullet, anonymous remailers can strip out a lot of metadata. Mixmaster remailers can also help against traffic analysis.

While not as popular as they once were networks of remailers are fairly easy to spin up.

[msbarnett]

None of this has anything to do with the incorrectness of the assertion that PGP would “beg to differ” that end-to-end encryption of email is impossible. Playing 3-card monty with your message is something else entirely.

[YetAnotherNick]

If you do end to end encryption, you can't persist the mails. So when you logout or clear cache or change browser or email client your past mails will be lost, which drastically reduces the purpose of mail as a long term thing.

[ognarb]

You can persist end to end encrypted mails on the server just fine. The important thing is that the keys for encrypting/decrypting the mails are not stored on the server too.