292
iMessage will reportedly dodge EU regulations, won’t have to open up
(arstechnica.com)
This is a most excellent place for technology news and articles.
Kind of a mixed bag.
Hopefully they can dodge RCS too, because it's a poor solution. Worse, Apple's implementation of RCS doesn't include E2E encryption.
Edit: RCS limits attaments to 100mb! What the hell, why? I can, today, send 100mb over SMS/MMS, on Verizon, to other Verizon phones. RCS would be a step backward.
I don't really care about iMessage, Android is my primary device, and SMS sucks, and most people use SMS because Android, and I prefer to use other apps (especially on my iOS devices).
IMessage has its own insecurities, despite what people think. There's a recent publication about it while it uses AES to encrypt the message, the encrypted message and the AES key are packaged together with the RSA key...which never changes. So if you get someone's RSA key, you can decrypt all their messages, old ones, new ones, ALL of them.
So if they can dodge it, this keeps the pressure toward third-party apps with proper encryption, that isn't tied to your IMEI, Google or Apple accounts.
And this is what governments fear the most - they peoe will use apps like Signal, where not even the metadata is easily accessible or useful even if you could access it.
Here's just one well written example of what's wrong with RCS: https://www.reddit.com/r/UniversalProfile/comments/11b6fyd/ugh_rcs_really_does_stink/
The text of that post:
A 100MB file transfer over MMS? I'm not saying you're lying, but recognize that is highly abnormal and most carriers aren't going to support anything near that high. 100MB would be a huge upgrade for most people over MMS.
I have no idea what carrier this user is with and I agree that sounds absurd. Photos and videos are automatically downgraded before being delivered. The file size limit is typically below 5MB. Videos are like 480p and photos are 720p. I hate sending photos through MMS and would rather use data with a different messaging app if RCS isnt available.
He said it's Verizon.
Ah I missed that. Thanks.
In any case, I think this user is confused. See here: https://www.verizon.com/support/knowledge-base-14641/
I think this is where the confusion stemmed from.
Makes sense, thanks for clearing that up!
"Verizon Messages" is RCS.
That as anecdotal as me saying it works fine for me. I haven't encountered any of the issues you quoted.
But overall I disagree that abandoning RCS to keep pushing for 3rd party apps is the correct path. How's that been going for the last decade? SMS is the only common platform between all the people I know. If there are issues with RCS they need to fixed.
This. I've been using RCS for nearly 3 years, starting as soon as it was released (even going as far as to trick the messages app into letting me into the pre-release rollout), and have never had any issues with it other than when one of my friends switched over to an iPhone (and in fairness, iMessage has the same issues if you don't deassociate your phone number)
deleted
Perhaps the the EU should be looking at a forced divestment of Jibe?
Does it say so in the specification or is that the limit of a single RCS provider? How does sending files even work in RCS?
There is no such specification. It is solely up to the provider. For example, T-Mobile and ATT both state 100MB on their "Advanced Messaging" FAQ. I'm sure Verizon is the same though I couldn't find the exact wording.
Photos and Videos through RCS use your data.
The spec does state there is an 8,000 character limit and a maximum of 100 participants in a group conversation.
I commented further down, but I think you are confused with this bit:
This is not true by any means. See here: https://www.verizon.com/support/knowledge-base-14641/
deleted
That’s a proper comment right there
Yeah, it sounds good but there’s a lot of factually incorrect statements.
“Apple RCS” is actually the GSMA RCS standard, which Apple was pretty vocal about not being encrypted, but was kind of forced to use prematurely thanks to legislation. Encryption is already being looked at being added in the next spec.
How Apple encrypts iMessages is literally detailed in their support doc. In short: The per message AES key is derived from the contacts public RSA key.
Erm that's not how it actually works. Though in your defence, "in short" is pretty hard to achieve here.
The real headache though isn't encrypting the messages. It's making sure that only the intended recipient has the decryption key for your message. That's where E2EE messaging gets complex and frankly Apple doesn't do the best job.
It's theoretically possible with iMessage, especially in a nation state level attack, for a compromised device to be one of the recipients your encrypted message is sent to. Wether "theoretically" is "actually in practice" happening is hard to judge, because nation state attacks are normally hidden by court mandated disclosure suppression orders.
The way Signal is architected, it wouldn't be possible to comply with a court order like that. Unfortunately that means some Signal based messaging services will be forced to exit the UK since laws coming into effect next year will give them no other choice. It'll be interesting to see if signal based services (like Google RCS) also walk or will they weaken their encryption in order to be able to comply.
The fact at least one nation state is passing laws that force "encrypted" messaging services to have the vulnerability that iMessage has is a pretty strong smoke signal that attacks like that are happening....
But I will say the rest of what you wrote is a pretty decent insight. Thanks.