[messaging] EFF Secure Messaging Scorecard

Tao Effect contact at taoeffect.com
Thu Nov 6 09:19:04 PST 2014 

On Nov 6, 2014, at 8:09 AM, Mike Hearn <mike at plan99.net> wrote:

> Alright, let me clarify my statement a little bit - iMessages meets (1) assuming you decide to actually use it in that way, and I think it's reasonable to assume that people understand "backing up my messages to Apple" means Apple gets to read them. I'd be surprised if that caused real users any confusion.

I don't have an iPhone I can test this on; can anyone corroborate this?

My recollection is during the setup Apple doesn't tell users that by choosing to use iCloud their messages will be readable to Apple (and anyone with access to Apple).

> I don't think an app should be dinged for not being fully end to end out of the box

If the statements being made is that it is "fully end to end" (Apple is claiming this), then it seems reasonable to ding them on it.

> If resistance against malicious providers giving you bogus software is a requirement to be considered end to end then no such technology has ever been successfully deployed

That seems like a different bar to me, and it's not the bar I'm holding Apple to.

I think the most that can possibly be expected here is that the source is open and that the binaries are signed by the developer who authored them.

If we consider that, then we actually have several real-world examples:

- All open software that uses Sparkle: http://sparkle-project.org
- Mozilla Firefox add-ons
- Possibly Chrome add-ons (would need to double-check)

These bits of software are bundled with the public key of the individual vendor, and software updates are signed by the vendor themselves. So if you trust the author of the software to not be malicious (and in the case of open source software, there is good reason to), then this seems reasonable and sufficient to me. But Apple isn't doing this either.

Kind regards,
Greg Slepak

--
Please do not email me anything that you are not comfortable also sharing with the NSA.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141106/875dd061/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141106/875dd061/attachment.sig>

More information about the Messaging mailing list