iMessage with PQ3: The new state of the art in quantum-secure messaging at scale \ stacker news ~privacy

iMessage with PQ3: The new state of the art in quantum-secure messaging at scale security.apple.com/blog/imessage-pq3/

1632 sats \ 6 comments \ @DEADBEEF 21 Feb privacy

They go to all these lengths and then let people sync & backup their iMessages to the cloud. Effectively rendering them unencrypted. Must be infuriating if you work on this stuff inside Apple.

https://support.apple.com/en-us/102651

Standard data protection: Messages in iCloud is end-to-end encrypted when iCloud Backup is disabled. When iCloud Backup is enabled, your backup includes a copy of the Messages in iCloud encryption key to help you recover your data. The encryption keys from your trusted devices are secured in Apple data centers, so Apple can decrypt your data on your behalf whenever you need it, such as when you sign in on a new device, restore from a backup, or recover your data after you’ve forgotten your password. If you turn off iCloud Backup, a new key is generated on your device to protect future Messages in iCloud. This key is end-to-end encrypted between your devices and isnʼt stored by Apple.

Advanced Data Protection: Messages in iCloud is always end-to-end encrypted. When iCloud Backup is enabled, everything inside it is end-to-end encrypted, including the Messages in iCloud encryption key.

11 sats \ 1 reply \ @m00ninite 21 Feb

As long as you can disable icloud backups, this is a win

11 sats \ 0 replies \ @davidw 21 Feb

Yes optionality is important. I’m unsure on the percentage but I’d be willing to assume 75%+ of Apple’s customers use iCloud backups and less than 20% use the new ‘Advanced Data Protection’ from iOS16. So most people are still storing their message history for Apple and other third parties to snoop-on.

Not to mention, even if you think you have the correct settings… your Nan who is still on iOS14 is still leaking your Christmas wishlist and your entire family conversation history, or anyone else for that matter that you chat with.

Anyone who doesn’t:

upgrade to iOS16 and enable new advanced privacy feature
disable iCloud backups

… is sharing your conversation history with Apple and all government agencies worldwide.

So stating iMessages are E2E encrypted is disingenuous at best.

10 sats \ 0 replies \ @MattInTech 22 Feb

This is huge. Strange to see large tech companies adopt PQC algorithms when banking/financial institutions worldwide haven't done yet... Strange world, but still happy that someone is taking quantum threats seriously. Also funny to see how Apple has "branded" its PQC key-handling solution... saying "we use CRYSTALS-Kyber like the rest of the world will do" was not premium enough, I guess 😁

10 sats \ 1 reply \ @itsrealfake 21 Feb

How does this work if you're in China?

11 sats \ 0 replies \ @ZezzebbulTheMysterious 21 Feb

By the Chinese government reading your imessage history from your iCloud backup, sorted on domestic servers. The keys are in China too. Same old vector.

I remember when Tim bragged that China had the ciphertext but didn’t have the keys. That changed.

It’s Looking like RCS was a Trojan to give China access to messages on the wire too.

That being said: Stronger, and additive key exchange methods should be encouraged. PQ3 is a good idea. Apple adopting this will push others to go with PQ key exchange methods. Todays adversary has clear text access to most targets anyway. Tomorrows will have to break the keys.