[cryptography] ICIJ's project - comment on cryptography & tools

Nico Williams nico at cryptonector.com
Thu Apr 4 17:39:31 EDT 2013


On Thu, Apr 4, 2013 at 3:51 PM, ianG <iang at iang.org> wrote:
> On 4/04/13 21:43 PM, Jon Callas wrote:
>> This is great. It just drives home that usability is all.
>
> Just to underline Jon's message for y'all, they should have waited for
> iMessage:
>
>       "Encryption used in Apple's iMessage chat service has stymied attempts
> by federal drug enforcement agents to eavesdrop on suspects' conversations,
> an internal government document reveals.

[...]

But note that this doesn't mean that iMessage can't be MITMed or
otherwise be made susceptible (if it isn't already) to MITM attacks or
plain traffic analysis.

iMessage relies on Apple as a trusted third-party.  Therefore Apple
can MITM its users.  The best case scenario is that the iMessage
clients can add jey pinning to force the TTP to either never MITM or
always MITM any pair of peers.  But since the TTP also distributes the
client software...

Online we have lots of security problems that are difficult to
resolve, from physical security of devices (there's not enough) to the
lack and general difficulty/impossibility of reliably open-coding or
reviewing everything that one has to trust (mostly software, and some
firmware too).

Basically, this is complaint by the DEA is disinformation or
misinformation (or both!).  If the former case we might even be
staring at the start of a new crypto wars period.

Nico
--


More information about the cryptography mailing list