|
|
|
|
|
|
by advael
911 days ago
|
|
|
So is the issue that there's a cloud web service that interacts with some of the proprietary protocols? That definitely is another point of trust and it would seem weird that they do it that way, especially for protocols that aren't proprietary. For proprietary ones, this might be necessary to dodge intellectual property liability claims that could take the whole thing down, which is a great argument for not allowing security-critical proprietary code to be protected by law in this way, but that's just a plausible reason for them to have this problem, not a reason it doesn't matter I appreciate you pointing out specifically what the problem was rather than just repeating that it was insecure, rather than how, and admit what I said was, as far as I now know, wrong That said, what are the odds that Apple would accept a solution that was encrypted on-device? If this were feasible, would Apple still block the interoperation with their network, and do we agree on whether they'd be wrong to? I think the main issue I see with iMessage that this highlights is that it's presented in a way that's deceptive to its users, and thus might give them a false sense of security in their messaging. An interoperating client on android is a band-aid for this problem at best, but it's a weird move to block it. I guess for now there's the plausible deniability of what appears to be a real issue though. The way Apple's messaging has addressed it still leaves a bad taste in my mouth, because they do not make clear that what you point out is the issue |
|
|
We probably agree that the odds hover just above 0%
>would Apple still block the interoperation with their network, and do we agree on whether they'd be wrong to?
We could agree in principle that they would be wrong to, _if_ there were a clear path to continuously verifying that a third party client is behaving above board. Unfortunately that's just not the case. AFAIUI, this is still an intractable issue with encrypted communications. Is it an impossible problem? Probably not, but the amount of sustained effort this would require from Apple (and the 3rd parties) seems unworkable. So given that reality (I think), I don't think Apple are wrong to disallow third party clients for their E2E encrypted service.
>The way Apple's messaging has addressed it still leaves a bad taste in my mouth, because they do not make clear that what you point out is the issue
Yeah, I don't disagree here. I can only say that this is par for the course when it comes to Apple's PR. They would basically never explicitly state that their E2E encrypted service is at risk of a MiTM attack due to third party clients. Instead we will get very generic language and be left to fill in the blanks ourselves.