A security researcher has suggested that Apple's claim that its iMessage app is spook-proof and secure does not stand up to scrutiny. Cyril Cattiaux, who works at the research firm QuarksLab, made his claims during a speech to the Hack in the Box conference, which were quoted by PC World – the tech news site, rather than the …
You had me at "public key"
Nice Soft Apple.......All your bases are ours!
Apple accused and apple responded last week, for a much more complete and accurate story see;
> for a much more complete and accurate story see
Hmm... I fail to see how the story on that link was "much more complete and accurate" than this one. They repeat essentially the same content.
On the other hand, if you think El Reg's comments section is full of cluelessness, you only have to head over to that site to see how much worse things could be. :-(
"Apple accused and apple responded..."
Apple implied that interception would require a redesign of their imessage system, where they actually only need to send updated certificates. They then send "they had no plans to do this", which is not the same as "this is not possible". Their plans could be changed by a court order.
Fixed it for you
Their plans have already been changed by secret court order, the existence of which may not be revealed or even alluded to under any circumstances.
Not really any point posting as an AC, is there?
Whatever . . .
it's iMessage. Where's the need for HQ encryption? To make sure that Tracy doesn't find out that Sharon has told Lauren that she's given Trevor Clamydia and that she should go and pick up another dose of Doxycycline for herself and her other boyfriends [imagine randomly intersecting Venn diagramm here]?
Her older sister will spread the news to her mates in year 8 in school anyway . . .
Re: Whatever . . .
All the downvoters use iMessage now because they found out during the London Riots that BBMessenger wasn't all that secure and that JD Sports suddenly wanted those Nikes back.
Won't be different with Apple. Be careful!
Apple's security is so poor it couldn't keep drunks in a brewery.
"Apple's security is so poor it couldn't keep drunks in a brewery."
Don't you mean OUT of a brewery? No matter, it doesn't make a difference either way...
Not a credible position anyway..
It doesn't really matter how much crypto Apple adds - as a company with its HQ in the US it's not like they have much of a choice when compelled to provide access.
How does the fact that Apple can change the public key mean that it can read the historical messages?
Every software company producing software that requires admin privileges to install and uses cloud services can potentially create opportunities for man-in-the-middle attacks. Even the suggestion of local public keys isn't an answer. These can be compromised since the overall system/application architecture is controlled by Apple, MS, Adobe etc - and with sufficient political and legal pressure these companies can be made to implement measures. ISPs can be compelled to keep logs of transmissions (with or without knowledge of content) at any time. I don't trust any company that says its cipher solution is completely secure. Lastly, current SSL implementations may already be broken - in that event cooperation of Apple et al is superfluous. The real issue here is not Apple's ability or not to access iMessage it is the complete intrusion of governments in the secure free exchange of ideas - all under the premise of public "safety". Russia created the KGB almost 70 years ago to spy on "subversives" but ran out of money - the US just found a cheaper way to implement those policies.
The NSA can force a company to categorically state they are NOT supplying data to the government, even when they absolutely are. In order to comply with such orders a company not only can say that no one can snoop on their security but is essentially forced to make those statements.
Apple itself could very well be telling the truth that they have not developed plans to snoop, while letting the NSA develop those plans for them.
Point is: you can't trust any statements about the security of data made by any company doing business in the US. Instead, you just have to assume that whatever you send is being monitored and stored for future reference. The only real question is whether non state actors can get to it.
>The NSA can force a company to categorically state they are NOT supplying data to the government, even when they absolutely are.
>Point is: you can't trust any statements about the security of data made by any company doing business in the US.
Again, not true. Companies might not be able to tell you the whole truth. But they cannot be compelled to tell lies.
>Instead, you just have to assume that whatever you send is being monitored and stored for future reference.
Goes for GCHQ too, I might add. And, it's just good security practice.
Re: too harsh
I think you need to brush up on what the NSA+FISA have been compelling companies to do and say.
>Apple's iMessage is a text-messaging service which allows fanbois to send free messages over Wi-Fi.
True, but not the whole truth. It can send the messages using cell network connections as well as WiFi.
The real point here...
The real point is that (yet again) yet another company (that should know better) is claiming that their products are secure when the law (let alone its secret amendments) clearly state that all customer data transmitted by it is open to whomever successfully claims they have the power) to demand it.
IOW, that they are lying, because once the data is transferred over compromised systems (such as those run by so many Government agencies), let alone cross referenced, indexed and filtered. if it is of any value anywhere, it may as well be considered public.
- +Comment Trips to Mars may be OFF: The SUN has changed in a way we've NEVER SEEN
- MARS NEEDS WOMEN, claims NASA pseudo 'naut: They eat less
- Vid Find using email DIFFICULT? Get someone to install 'Inbox' for you
- Back to the ... drawing board: 'Hoverboard' will disappoint Marty McFly wannabes
- Google+ goes TITSUP. But WHO knew? How long? Anyone ... Hello ...