Encryption you don't control is not a security feature

Wed 23 September 2015

Catching up on my blog reading, this morning, led me to an article discussing Apple's iMessage program and, specifically, the encryption it uses and how it's implemented.  Go ahead and read the article; I'll wait.

The TL;DR of that article is this: encryption you don't control is not a security feature.  It's great that Apple implemented encryption in their messaging software but since the user has no control over the implementation or the keys (especially the key distribution, management, and trust) users shouldn't expect this type of encryption system to actually protect them.

For Apple, it's all about UI and making it easy for the user.  In reality, what they've done is dumbed down the entire process and forced users to remain ignorant of their own security.  Many users applaud these types of "just make it work and make it pretty" interfaces but at the same time you end up with an uneducated user who doesn't even realize that their data is at risk.  Honestly, it's 2015... if you don't understand information security... well, to quote my friend Larry "when you're dumb, you suffer".

Yes, that's harsh.  But it's time for people to wake up and take responsibility for their naked pictures or email messages being publicized.  I'm assuming most everyone makes at least a little effort toward physically securing their homes (e.g. locking doors and windows).  Why shouldn't your data be any less protected?

In comparison, I'll use Pidgin and OTR as an example of a better way to encrypt messaging systems.  OTR doesn't use outside mechanisms for handling keys, it clearly displays whether or not a message is simply encrypted (untrusted) or whether you've verified the key, and it's simple to use.

One thing I'll say about Apple's iMessage is that it at least starts to fix the problem.  I'd rather have ciphertext being sent across the network than plaintext.  Users just need to understand what the risks are and evaluate whether they are okay with those risks or not.

By Sparks, Category: Information Security

Tags: Apple / iMessage / OTR / Confidentiality / Encryption /