| > The idiot pmendes is wrong (if he was correct then no one knowledgeable on the subject would classify that system as E2EE What exactly is pmendes wrong about? Are you referring to this comment: > In iMessage the message contents are in fact end to end encripted. Each device encripts the message using the recipient keys and then sends the message. The problem is that iCloud manages the keys by itself so you have no way of knowing who is the exact owner of the key. Addionaly, on group chats, they don't even need to be a man in the middle. They can just add their key to the list of encription keys for that chat, and receive a copy of each message. What's wrong there, aside from spelling? The nit I would pick is that in "iCloud manages the keys", I would change "iCloud" to "Apple" or "Apple's IDS". How, specifically, does iCloud backup damage the affordance of E2E? This doesn't make any sense. If you have somebody's GPG public key, you can encrypt a file to that public key and then put up the encrypted file on a public FTP site [0], whence they can download and decrypt it. iMessage does nearly exactly that, except that 1) Apple's identity service effectively solved the key distribution problem, 2) the messages are, even though already encrypted, themselves also transmitted by encrypted channels to Apple's servers during transit. [0] Well, I wouldn't do this if I were at all concerned about the contents because it doesn't allow for forward secrecy. |
If you’re going to classify every critical fact as a “nit” then nothing is ever wrong.
IDS vs iCloud is far more than a nit. They’re completely different services. iCloud is run by a 3rd party in China, this is well publicized, whereas IDS is not. So that’s like not a minor detail.
iMessage does not depend on iCloud. You don't need an iCloud account. These are unrelated.
Contact key verification is a more recent addition, and again not dependent on iCloud.
> How, specifically, does iCloud backup damage the affordance of E2E?
Just saying, you can sync your data to whatever encrypted or unencrypted service you want if you choose to. This may diminish the value to the end user of E2EE but it is unrelated. I'm not the one that brought up iCloud first. Take that up with the original commenter.