[messaging] EFF Secure Messaging Scorecard

Joseph Bonneau jbonneau at gmail.com
Wed Nov 5 21:19:19 PST 2014

On Thu, Nov 6, 2014 at 12:08 AM, Tao Effect <contact at taoeffect.com> wrote:
> As-is, people will walk away with an incorrect understanding of the
> security of Apple's iMessages. I assume it is not EFF's intent to mislead
> people.
> Apple's encryption is end-to-end.
> What definition of end-to-end are you using? Apple is capable of
> decrypting iMessages sent between users [1], so sorry, but I don't see how
> that is end-to-end.

The definition on the website, meaning that in normal operation keys are
generated and kept at endpoints. I agree the column names as abbreviations
of the more technical names in the criteria are not as clear to a technical
reader. The goal was to make definitions that were easier for ordinary
users to understood.

Apple's capability to act as a MITM is reflected in the third column, as
you have no way (yet) of looking at key fingerprints to figure out if this
is happening. Apple could be MITMing every single connection. We took them
at their word that they aren't doing this.

Please keep in mind this is stage 1 of a multi-stage competition. The goal
is not to identify or endorse products (there is a big disclaimer on the
website about this), but to indicate that some tools are closer than
others. While iMessage is well short of the tool that everybody on this
list eventually wants to see deployed, having E2E encryption even with the
risk of a MITM is a real security upgrade over most of the competing
commercial platforms (WhatsApp, Hangouts). If this scorecard spurs a few of
them to move to the same model as Apple in 2015, that's a big win.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141106/043ffb69/attachment.html>

More information about the Messaging mailing list