Hacker News new | ask | show | jobs
by bumbledraven 1867 days ago
modeless wrote here in Feb, 2021 (https://news.ycombinator.com/item?id=25778758) :

> It's also important to realize that the backup includes your encrypted iMessage messages, and the key required to decrypt them. Meaning that if you have backups enabled, all the "end-to-end" encryption in iMessage is defeated. Apple and by extension the FBI can read your messages. This is documented by Apple here: https://support.apple.com/en-us/HT202303

> Even if you disable backups, whenever you correspond with someone that has backups enabled those messages are still accessible to Apple.
2 comments
conradev 1867 days ago
[EDIT: I misread]

> Even if you disable backups, whenever you correspond with someone that has backups enabled those messages are still accessible to Apple.

That last bit is not true. From Apple’s security PDF:

> When Messages in iCloud is enabled, iMessage, Business Chat, text (SMS), and MMS messages are removed from the user’s existing iCloud Backup and are instead stored in an end-to-end encrypted CloudKit container for Messages. The user’s iCloud Backup retains a key to that container. If the user later disables iCloud Backup, that container’s key is rolled, the new key is stored only in iCloud Keychain (inaccessible to Apple and any third parties), and new data written to the container can’t be decrypted with the old container key.

https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/app...

link
notafraudster 1867 days ago
The quoted parent says that if Adam sends a message to Bob, and Adam has backups off, but Bob has backups on, that Bob's copy of the message Adam sent is accessible to authorities.
link
conradev 1867 days ago
I see! I misread
link
mprovost 1867 days ago
Bob is one end of end-to-end.
link
solaarphunk 1867 days ago
It’s worth noting that if you use iMessage for MacOS, all of your messages are stored unencrypted, in plain text, on your computer HD.
link
ibigb 1867 days ago
I'd guess most macos systems (laptops) have encrypted hard drives.
link
solaarphunk 1867 days ago
Yes, however if you use a company computer, those are typically logged by monitoring software and archived elsewhere.
link
ric2b 1865 days ago
That protects you in the case of physical theft but not from any other program you run exfiltrating the data.
link
ndeast 1867 days ago
I have long since switched to only doing local encrypted backups, but for some reason it never clicked that of course all of my messages are included in other people's backups. Frustrating that its E2E with a bunch of caveats.
link
TeMPOraL 1867 days ago
E2EE only applies to data in transit, not data at rest. Talking via E2EE chat client means only that third parties in between cannot read what you write. It doesn't imply the messages cannot be recovered from your device, or your conversation partner's device, and it definitely does not imply said partner can't just leak them, whether accidentally or on purpose.

I'm not sure how E2EE came to be interpreted as to mean "totally secure against everything".

link
iudqnolq 1867 days ago
I think it's the colloquial meaning of "end", as in "be all end all". I'd think something like "full in-transit encryption" or even "phone to phone" would be clearer.
link
oneplane 1867 days ago
It's also how data collection still works if you personally 'block' it but communicate with others who don't.

Your messages, phone book, pictures you share with others etc. are still 'readable' on the remote end and thus still get collected. And if you connect the dots when you have a large collections your personal data can be reconstructed from that.

If you have persons A, B, C and D in your phone book, but your phone book is 'secret', it doesn't prevent someone from knowing that you know A to D if those still have you listed.

link