[icebraining]

>So people often trumptet BBM as end-to-end secure but if you use Google Mail with your mobile email and set it to TLS only and only send to other Google & Hotmail users then the same is true.

I actually thought they had end-to-end encryption with different keys for every device (PGP-like). That would make them much more secure than that, since the servers wouldn't be able to access the contents.

But I've been reading about it before replying and apparently they use a single key per server, not to mention that if you're not on a private BES, you're using a global key (they call it 'scrambled', not encrypted). What a joke.

[DougRathbone]

interesting you've found that about BES - link?

[icebraining]

EDIT: It's mostly about BIS; BES servers can actually implement end-to-end, if they're IT department enables the S/MIME module and create, distribute and teach users how to use PKI certificates. But if you're not doing that, you're not really protected.

This[1] document from the Communications Security Establishment of Canada explains it well. Citing:

    PIN-to-PIN transmission security: PIN-to-PIN is not suitable for exchanging 
    sensitive messages. Although PIN-to-PIN messages are encrypted using 
    Triple-DES, the key used is a global cryptographic “key” that is common to 
    every BlackBerry device all over the world. This means any BlackBerry device 
    can potentially decrypt all PIN-to-PIN messages sent by any other BlackBerry 
    device, if the messages can be intercepted and the destination PIN spoofed. 
    Further, unfriendly third parties who know the key could potentially use it to 
    decrypt messages captured over the air. Note that the “BlackBerry Solution 
    Security Technical Overview” document published by RIM specifically 
    advises users to “consider PIN messages as scrambled, not encrypted”. 

[1]: http://www.cse-cst.gc.ca/its-sti/publications/itsb-bsti/itsb...