Apple Announces 'Groundbreaking' New Security Protocol for iMessage - eviltoast

Apple Announces ‘Groundbreaking’ New Security Protocol for iMessage::Apple today announced a new post-quantum cryptographic protocol for iMessage called PQ3. Apple says this “groundbreaking” and…

  • Scott@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    35
    arrow-down
    18
    ·
    9 months ago

    But did you add RCS support yet?!?!

    If the answer is no, YOUR PRIORITIES ARE FUCKING WRONG!

    • jqubed@lemmy.world
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      1
      ·
      9 months ago

      I won’t be surprised if that doesn’t show up until iOS 18; when they announced it in November 2023 the only timeline they gave was “later next year.” This encryption has presumably been in development for a while, whereas I think they announced RCS support only as they started, to try to get ahead of regulatory issues in the EU.

    • Ghostalmedia@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      2
      ·
      9 months ago

      I’ll bet money that this project started long before Apple and Google agreed on their shared cross platform RCS strategy 4 months ago.

      And as others have said, unlike PQ3, RCS will visibly impact the experience. “Green bubble” message quality will go way up. I’ll bet PM and marketing want to peg that to a full version number release. Those folks always want to hold back the juicy user-facing stuff for n.0 releases

    • kevincox@lemmy.ml
      link
      fedilink
      English
      arrow-up
      14
      arrow-down
      10
      ·
      9 months ago

      I don’t use Apple devices, so my preferences aren’t particularly relevant, but…

      I would rather have better E2EE than RCS. Really I don’t care for RCS at all. The last thing I want is for carriers to have any control over my messaging. I want my chats to be available on all devices even if I drop my phone into a volcano. I want to just use the internet without weird carrier networking. RCS is nicer than RCS I guess, but lipstick on a pig. My carrier should just worry about connecting me to the internet, not wasting their time making deals with Google to host some weird phone-number connected chat app.

      • realharo@lemm.ee
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        edit-2
        9 months ago

        I would rather have better E2EE

        and

        I want my chats to be available on all devices even if I drop my phone into a volcano

        are kinda conflicting goals. If the chats are easily available on a new device without you manually syncing the key, that means the key exists somewhere in the cloud outside of your control, which is the opposite of good E2EE.

        You can still achieve both goals, but it would involve you exporting the key, storing it somewhere, and then importing it to a new device from where you stored it.

        • kevincox@lemmy.ml
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 months ago

          They aren’t conflicting goals. Multi-device E2EE is available in protocols like Matrix and WhatsApp.

          In the simplest case multi-device E2EE can be implemented as a group chat, and when you add a new device to your account you automatically add it to all of your rooms. So any protocol that supports mutli-user E2EE can support multi-device E2EE. Of course there are more efficient implementations.

          it would involve you exporting the key, storing it somewhere, and then importing it to a new device from where you stored it.

          Yes, you need to have a copy of the key, if the last copy is lost any E2EE solution will fail closed. If you have multiple devices this is probably already solved. (For example Matrix where when you log in with a new device it will ask you to verify from an existing device.)

          But the point stands that if I am on vacation with a laptop and a phone and I lose my phone with proper multi-device I can continue to use my laptop seamlessly. (It already has a key)

          You can also make “offline” backups and import to new devices. This may be less convenient but it can be easier to make offline backups than having globally distributed full computers. There are other solutions as well like escrow where a key is protected by a password or HSM devices. Although these are not as strong as never giving the key to a third-party.

    • smileyhead@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      3
      ·
      9 months ago

      As EU dropped their app from the list of gatekeepers, they have no need to adopt abandoned protocol laying around and pretend to be open like Google do.