[danShumway]

This seems somewhat similar to Matrix's (and other apps') approach of comparing keys to verify identity (plus with I guess some extra hardware requirements and attestation).

I'm interested to see what the uptake is among users, because even though Matrix has done a fair amount to smooth this process, verification is still a pretty large source of friction from what I can tell, and I'm not completely sure how it could be made easier. I guess the idea here is that once you verify a contact that syncs to their other devices, but in theory Matrix also does that, and in practice I still see some friction.

It's possible Apple's implementation will just be better, or that they'll rely on attestation to such a degree that they'll be able to skip some other friction points. But even with the public verification setup (which gets rid of the problem of needing to verify devices at the same time as the person you're talking to), I'm still slightly skeptical that users are going to copy and paste a code into their messaging app to verify contacts. My experience is that even popping up a button and saying, "do your friend and you see the same emoticons" is too much work for a lot of users.

Maybe I'll be wrong. And I guess ideally if iOS users get used to doing this, they might be more tolerant of doing the same thing in other messengers too.

[seanieb]

Trevor Perrin, who co-designed the Signal Protocol, made the point that most people don’t have to do this. If a few people do, an adversary won’t know if the target is verified or not. If they MITM they might be discovered instantly. Which gives the entire herd protection.

- https://www.youtube.com/watch?t=2001&v=7WnwSovjYMs

[notpushkin]

Not a great argument IMO. If only 0.1% people check the keys, the attacker may be just okay with the 0.1% chance of being discovered – especially if there's no consequences for them.

[viktorcode]

Only for mass attacks. A targeted attack will encounter the risk of the attacker being exposed.

Think journalists, politicians, public figures

[p-e-w]

> A targeted attack will encounter the risk of the attacker being exposed.

What "risk" is there? I'm not aware of illegal spying by intelligence or law enforcement agencies having ever had any adverse consequences for them, in any country, at any point in history.

[acdha]

Risk of revealing their attack and losing whatever exploit made it possible, if nothing else. The stuff Citizen Lab has published is also making problems for some of the companies selling spyware

[godelski]

I don't mean to be snippy, but this is kinda what the whole Cold War was about. There were constant consequences for the spying. For domestic I think we can point to Watergate, Contra Affair, Snowden Leaks. I have some more recent examples but I think mentioning them will result in arguing and move from the topic at hand. You may not agree that the consequences were severe enough, but there were consequences. I think there's also a strong bias in that consequences take place after (often months or years) and there's less attention given to them so we often aren't even aware. But if consequences do happen, it does mean the rage machine was effective even if far from optimal. Worth noting that there is a danger in lack of attention to consequences, since it can lead to apathy and thus actually enable consequent-less actions in a self-fulfilling prophecy.

[p-e-w]

What consequences did the Snowden Leaks have?

I mean for the intelligence agencies – not for Edward Snowden. I'm of course aware his life has been destroyed. But what consequences were there for the people and institutions responsible?

[viktorcode]

There were several instances when a person of interest suspected something's wrong with their phone and knowing they can be a target of a government surveillance they promptly submitted their devices to security companies. That's how some zero-days were uncovered by Apple.

[kahnclusions]

It might still be an acceptable risk. Most governments around the world probably don’t care that much if it’s discovered they are surveiling a journalist or lawyer.

In most of the world everyone knows that journalists and lawyers are being monitored.

[xoa]

I think you and notpushkin are perhaps missing some of the "economic" angles on this. It's not just about the what, it's about the how. High value targets are highly likely to be following decent practices and at least staying up to date on software. Which implies that cracking iMessage would require use of a 0-day, of which there are not an infinite number at any given time, and which Apple will immediately eliminate forever if they discover it. Part of the point of highly targeted careful attacks is to stretch those out, it's not just about keeping the target from knowing (though that's not irrelevant), it's also about future targets.

So as with a lot of matters in intelligence work it's subject to cost benefit calcs. If using it against a given target means they are incredibly unlikely to notice and it can then be used again and again, it doesn't take much target value for a government to deploy it which pushes towards more mass use. On the opposite end if using it means it will immediately become useless ever again, then the expected target value has to at least exceed the market cost (which itself will rise more quickly if 0-days are being consumed more quickly vs production), every time. In between is a spectrum of less or more use. Apple wants it as far towards "use it and lose it" as possible, but Trevor Perrin's argument makes sense here: even a relatively small increase in percentage of "use it and lose it" amongst the population could significantly change the mean weighted cost for threat actors.

If they could know for sure whether a given counter measure was deployed that'd reduce the cost again, but if they can't there is indeed a population benefit. It's like a mine field, there don't have to be that many mines scattered around to really hurt people's willingness to cross it!

[p-e-w]

> High value targets are highly likely to be following decent practices and at least staying up to date on software.

Not even close. The vast majority of journalists, lawyers, activists, even public figures, don't have the knowledge to secure their digital lives, don't have access to an expert to do it for them, and in many cases aren't even fully aware of the nature of the threat (beyond some vague idea along the lines of "I'm probably being monitored").

On top of that, it has been my experience that people who don't understand threat mechanics on a deeper level (such as active MITM attacks) quickly stop following whatever best practices they have been trained to adhere to (in this case, peer key verification), because those practices have no observable effect to them and without actually understanding what's going on, it's hard for them to see what the point is.

[matheusmoreira]

Has warrantless mass surveillance really become so normalized that such gross violation of people's rights is just casually brushed aside like some unsurprising everyday occurrence, so common it can't be helped? Lawyers and journalists are people too, they're citizens, human beings with rights and they don't deserve to be "monitored" by anyone. If "everyone knows" they're being monitored, why is nobody doing a thing about it?

All these three letter agencies operate in the darkness and away from the public eye. That's where they belong, because what they do to their own citizens is supposed to be unconstitutional. If they've really gotten so brazen as to operate openly instead of clandestinely and are still enjoying complete impunity then there really is no hope left.

[londons_explore]

WhatsApp has this scheme. And to my knowledge, never had there been a report of verification failing.

If an adversary was discovered 0.1% of the time. There would be at least one person on a support forum with the text of the error that occurs when it fails...

[vinay_ys]

I get the warning "your contact key has changed.." all the time with various contacts on WhatsApp. What am I supposed to do? there's no clear next steps to debug / report of suspicious activity. In such cases, users get trained to become complacent of such warnings.

[londons_explore]

You're supposed to meet up with that contact and verify the new key.

If even 0.1% of users did that, it would be 2 million verifications. And yet nobody has ever announced they have found a non-matching key.

[godelski]

The argument is context dependent, as is essentially anything related to security. Key verification isn't for most people and can even create more noise as normal people frequently change phones. But the average threat environment isn't the only threat environment. In higher risk settings (politicians, journalists, etc) verification rates are expected to be higher than 0.1% because these people frequently are also more knowledgeable of security practices and/or have better advisors than the general public. While the context isn't explicitly stated I think it is fair to assume that most can infer this and that if not someone can explain it. Often things that appear ridiculous but are common practice aren't if context is considered (doesn't mean good thing but just less absurd and it can be understood why the ridiculous thing is done).

[alwillis]

Apple’s installed base is so large (around 2 billion devices) that if 0.1% of them verified their keys, that’s still a useful deterrent.

[notpushkin]

Tangential, but Keybase (and later Keyoxide [1]) with their “social proof” mechanics are a more human-friendly way to verify the encryption keys. I kinda wish Matrix had that integrated, too.

[1]: Here's my Keyoxide page for example: https://keyoxide.org/alexander@notpushk.in

[lxgr]

Is Keyoxide based on the Keybase codebase, or is it a new development?

I quite enjoyed Keybase back in the day, but then they pivoted to being a crypto wallet, and were ultimately acquired by Zoom (a move I understand less every day, since they obviously gave up on their bold promises of end-to-end encryption they made back in 2020).

[notpushkin]

It's completely new, and based entirely on PGP. The proofs are stored with your PGP key, so it's also decentralized. It doesn't have any amenities like chat or file storage – it only maps your social networks to a given PGP key. But I believe third parties (like Matrix) could step up and support it natively – all the benefits of Keybase, none of the drawbacks.

[lloeki]

Not entirely clear but it doesn't seem so from the launch post verbiage:

https://blog.keyoxide.org/keyoxide-launch/

Code lives here if you want to dig:

https://codeberg.org/keyoxide

[lxgr]

> I'm interested to see what the uptake is among users

My suspicion is that it'll be quite low for many years, for two reasons:

- It requires a recent iOS and macOS version on all of a user's devices. Still got an old iPad lying around somewhere that doesn't receive software updates anymore? No key verification for you. (In a similar way, Apple has been making older devices obsolete by preventing Notes sync in some previous iOS version. This is only an issue because all of these apps are not updateable outside of the core OS.)

- It requires users to be logged in to the same Apple ID for iCloud and iMessage.

The former will only change once these old devices completely die – I just don't think many users will value key verification enough.

[nixgeek]

iCloud Advanced Data Protection also requires modern hardware and won’t enable if you have outdated/vintage stuff logged in on your Apple account.

[Kluggy]

This is super annoying. I don't have iCloud stuff enabled on my old iPad, but it works just fine as a media streaming device for the kids. I want to enable Advanced Data Protection, but it won't let me until I replace the perfectly good iPad :(

[rezonant]

Couldn't you just make a dedicated account for that device? Wouldn't that be preferable anyway? You could still use family controls.

[_rs]

Any idea what happens if you sign out, enable it, and try to sign back in? Is the error as cryptic as I might imagine?

[Kluggy]

IIRC, it's just a generic failure to log into iCloud

[ezfe]

You can remove that iPad from your account if you don't need iCloud for it

[Kluggy]

We do use it for TV+ shows like Snoopy in Space, so alas, I'm stuck with it being registered

[hnbear]

Unregister your account, register a new iCloud and add it to your iCloud family. You can have 6 people in your family account.

I have ADP on my devices but no one else in my family has it on and we’re all in the same iCloud family.

[_8j50]

I don't like how matrix does it. I tried to get very technical people to use it and they struggled. Plus, they assume you have enough trust with your contacts to share with them your device details instead of just a unique identifier.

[danShumway]

The article is a little short on details, but it's not immediately clear to me how Apple's UX will differ. This is exactly my concern, I agree that Matrix's setup can be difficult for new users, but I'm not sure what a good UX for this even is. Apple's non-public verification method seems to be (at least at first glance) almost identical to what Matrix is doing.

If Apple rolls out a similar system and it works or they're able to identify pain points and make it easier to use, then cool. Maybe Matrix can take pointers from the UI if that's the case. But I wonder if that will be the case, or if Apple's implementation will suffer from the same UX problems that Matrix's does.

[aspenmayer]

This Apple support page describes how both automatic and manual verification UI/UX presents itself to the user.

https://support.apple.com/en-us/HT213465

[danShumway]

Same thoughts, I guess. This describes the process, and the process (at least for on-device comparison) sounds almost identical to what Matrix does today. I'm not sure what code is going to be compared, Matrix uses emoji which I've found helps a lot, neither article for Apple specifies what they'll use.

But :shrug: unless I'm not seeing a broader picture or there are details here that I don't understand, it does kind of sound like this is going to have the same problems that Matrix has. Although, to be fair, I've run into validation errors and syncing problems with Matrix before that theoretically Apple won't have? So maybe it'll be the same UX, but slightly more stable? Although also to be fair, Matrix doesn't require me to update all of my computers in order to verify an identity and Apple seems to be saying that users will need to do that, so I'm not necessarily taking it as a given that Apple's system system won't have its own share of annoying caveats.

It's a tiny bit disappointing, my takeaway from Matrix is that this all needs to be easier to do, and I was mildly hopeful that there would be some UI takeaways from Apple's implementation.

Or maybe people will just be more tolerant if it's Apple asking them to jump through the hoops instead of an Open Source messenger? If that's the case, and if the UX really is basically the same as Matrix's, maybe some of that tolerance will bleed over to Matrix as well.

[aspenmayer]

Here’s my verification key, so you know what they look like, since you were wondering what would be shown/compared:

APKTIDJ_J3S3UhVqZKCX5EgKYnh9ez4pO9Hsr5YWv_5pXF5GUcLA

[danShumway]

Ow. Okay, I take it back, unless there's something I'm missing then Matrix's system is better than this.

I'm sorry, I just can not imagine asking a non-technical person to copy and paste that into a messenger and then needing to help them debug which letter they left off. It's hard enough to get them to validate "I see a cat, a dog, a horse, a pizza, and a basketball."

I guess I'll wait and see what happens with it, but I'm going to temper my expectations about people adopting this.