Catching up on my blog reading, this morning, led me to an article
discussing Apple's iMessage
program
and, specifically, the encryption it uses and how it's implemented. Go
ahead and read the article; I'll wait.
The TL;DR of that article is this: encryption you don't control is not a
security feature. It's great that Apple implemented encryption in their
messaging software but since the user has no control over the
implementation or the keys (especially the key distribution, management,
and trust) users shouldn't expect this type of encryption system to
actually protect them.
For Apple, it's all about UI and making it easy for the user. In
reality, what they've done is dumbed down the entire process and forced
users to remain ignorant of their own security. Many users applaud
these types of "just make it work and make it pretty" interfaces but at
the same time you end up with an uneducated user who doesn't even
realize that their data is at risk. Honestly, it's 2015... if you don't
understand information security... well, to quote my friend Larry "when
you're dumb, you suffer".
Yes, that's harsh. But it's time for people to wake up and take
responsibility for their naked pictures or email messages being
publicized. I'm assuming most everyone makes at least a little effort
toward physically securing their homes (e.g. locking doors and
windows). Why shouldn't your data be any less protected?
In comparison, I'll use Pidgin and
OTR
as an example of a better way to encrypt messaging systems. OTR doesn't
use outside mechanisms for handling keys, it clearly displays whether or
not a message is simply encrypted (untrusted) or whether you've verified
the key, and it's simple to use.
One thing I'll say about Apple's iMessage is that it at least starts to
fix the problem. I'd rather have ciphertext being sent across the
network than plaintext. Users just need to understand what the risks
are and evaluate whether they are okay with those risks or not.