iMessage Key Verification(support.apple.com) |
iMessage Key Verification(support.apple.com) |
I'm interested to see what the uptake is among users, because even though Matrix has done a fair amount to smooth this process, verification is still a pretty large source of friction from what I can tell, and I'm not completely sure how it could be made easier. I guess the idea here is that once you verify a contact that syncs to their other devices, but in theory Matrix also does that, and in practice I still see some friction.
It's possible Apple's implementation will just be better, or that they'll rely on attestation to such a degree that they'll be able to skip some other friction points. But even with the public verification setup (which gets rid of the problem of needing to verify devices at the same time as the person you're talking to), I'm still slightly skeptical that users are going to copy and paste a code into their messaging app to verify contacts. My experience is that even popping up a button and saying, "do your friend and you see the same emoticons" is too much work for a lot of users.
Maybe I'll be wrong. And I guess ideally if iOS users get used to doing this, they might be more tolerant of doing the same thing in other messengers too.
[1]: Here's my Keyoxide page for example: https://keyoxide.org/alexander@notpushk.in
I quite enjoyed Keybase back in the day, but then they pivoted to being a crypto wallet, and were ultimately acquired by Zoom (a move I understand less every day, since they obviously gave up on their bold promises of end-to-end encryption they made back in 2020).
My suspicion is that it'll be quite low for many years, for two reasons:
- It requires a recent iOS and macOS version on all of a user's devices. Still got an old iPad lying around somewhere that doesn't receive software updates anymore? No key verification for you. (In a similar way, Apple has been making older devices obsolete by preventing Notes sync in some previous iOS version. This is only an issue because all of these apps are not updateable outside of the core OS.)
- It requires users to be logged in to the same Apple ID for iCloud and iMessage.
The former will only change once these old devices completely die – I just don't think many users will value key verification enough.
If Apple rolls out a similar system and it works or they're able to identify pain points and make it easier to use, then cool. Maybe Matrix can take pointers from the UI if that's the case. But I wonder if that will be the case, or if Apple's implementation will suffer from the same UX problems that Matrix's does.
https://security.apple.com/blog/imessage-contact-key-verific...
The same technology powers WhatsApp's key transparency:
https://engineering.fb.com/2023/04/13/security/whatsapp-key-...
Less than a month ago the first workshop on "transparency systems" was held at ACM CCS:
Shameless plug: I'm one of the designers of the Sigsum public transparency log, as well as System Transparency - a security architecture intended to bring transparency to the reachable state space of a remote running system.
EDIT: no, it wasn't. it was announced a year ago per other comments...
For someone who cares about their communication security deeply enough to do contact public key verification, they would likely want to turn off iCloud syncing iMessage across multiple devices. They are likely to not have same iCloud account on multiple devices. In such cases, what's the value of having iCloud Keychain being turned on?
Makes sense to download stuff and have it be in downloads on the laptop or iPad.
I don’t think that’s really that dark.
If Mallory can change the verification code in the contact to their own, the communication between Alice and Bob is no longer protected.
WhatsApp supports this too, see "Verify Security Code" on this page: https://faq.whatsapp.com/820124435853543
So does Signal: https://support.signal.org/hc/en-us/articles/360007060632-Wh...
So does Telegram: https://telegram.org/faq#q-what-is-this-39encryption-key-39-...
So it’s nice that it’s encrypted in transit but since iMessage is apple only and requires.. see above!
How do? iCloud Keychain is E2EE with a key derived from your device password/passcode.
To use iMessage Contact Key Verification, you’ll need: iOS 17.2, watchOS 9.2 and macOS 14.2 on all devices where you’ve signed in to iMessage with your Apple ID
Unfortunately my work iMac isn’t on Sonoma, it’s on Monterey. I suppose I could log out on that machine, but still, a bit of a shame older versions aren’t supported.
Am I reading the requirements correctly? Does this mean that for all devices to work with CKV, then all OS’s need to be updated, or will it not do CKV on any devices if even one device is not supported?
“You want to talk to Adam, but you haven’t verified their keys yet. However your contacts Anna and Derek have confirmed Adam’s identity”
“You want to talk to Family Lawyer D. Ivorstein, but you haven’t verified their keys yet. However your contact Wife has confirmed D. Ivorstein’s identity”
I would trust my technical friend with their chain of trust, but not my hair dresser.
Does not guarantee it's Adam reading.
The only scenario where this might break is if you log into personal accounts on work devices or vice-versa. I think that’d be ill-advised…
An Apple account is required in many situations (e.g. you want to download something from the Mac Store, you want Find My Mac etc.), but Apple doesn't cleanly support multiple accounts on any of their devices (and they probably have no incentives to do so)
It's also a PITA to have single devices with single accounts. For instance 2FA is a pain, you also can't use features like sidecar.
All in all, Apple is really bad at this and makes you jump through hoops if you intend to have clean separation between your work and personal accounts.
[0]: https://register.apple.com/resources/messages/messaging-docu...
I wouldn't say they "gained access to iMessage network".
They figured out a weakness in Apple's authentication that allowed a user with a fake serial # to authenticate. Apple is slowly making it more strict/checking the serial #s better (my opinion/guess).
Rather, it aims to prevent someone who compromised iMessage infrastructure, from pulling a dodgy around keys.
It’s described in more detail here:
https://security.apple.com/blog/imessage-contact-key-verific...
(This is end-to-end encrypted, by the way; Apple can’t get at people’s private keys.)
And this is a new protocol, so no surprise it doesn’t work with older operating systems. (It doesn’t say you have to remove your Apple ID completely, just log out of iMessage.)
And I could totally see Apple making non-verified contacts' bubbles a different color sooner rather than later...
https://www.macrumors.com/2022/12/07/new-imessage-apple-id-s...
Practically, the added complexity of having to integrate with iCloud Keychain certainly won't help.
https://blog.keyoxide.org/keyoxide-launch/
Code lives here if you want to dig:
Theoretically the iTunes/App Store/TV account is independent of iCloud – except that it's tangled to Apple Podcasts.
- iMessage used to be mostly standalone (iCloud sync was explicitly optional!) – but not it's tied to iCloud via contact key verification.
- Books is a weird mix of iCloud (for media) and iTunes (for purchases).
- Having my device as a trusted login factor is a complete mess: I still haven't figured out what makes or doesn't make a device "capable of generating authentication codes".
- iTunes subscriptions can somehow only be managed on an Apple device or iTunes – and logging in for that purpose messes up podcasts (see the first point).
At least on macOS, it's possible to make a second account and log in to most of these cleanly, but it's still a hassle compared to e.g. Google's seamless support for multiple accounts in almost all of their products.
Specifically I’m talking about their beeper mini spoofing of Apple devices, not the other beeper setup that forwarded content to/from an actual Mac.
I know it's not iCloud, but it's functionally the same as iCloud with all the checkboxes disabled.
Getting more access beyond iMessage requires another authentication (it’s definitely not just “enabling more checkboxes), and most importantly iCloud Keychain won’t even be touched without the required second factor (usually another device’s passcode on the same iCloud account).
But :shrug: unless I'm not seeing a broader picture or there are details here that I don't understand, it does kind of sound like this is going to have the same problems that Matrix has. Although, to be fair, I've run into validation errors and syncing problems with Matrix before that theoretically Apple won't have? So maybe it'll be the same UX, but slightly more stable? Although also to be fair, Matrix doesn't require me to update all of my computers in order to verify an identity and Apple seems to be saying that users will need to do that, so I'm not necessarily taking it as a given that Apple's system system won't have its own share of annoying caveats.
It's a tiny bit disappointing, my takeaway from Matrix is that this all needs to be easier to do, and I was mildly hopeful that there would be some UI takeaways from Apple's implementation.
Or maybe people will just be more tolerant if it's Apple asking them to jump through the hoops instead of an Open Source messenger? If that's the case, and if the UX really is basically the same as Matrix's, maybe some of that tolerance will bleed over to Matrix as well.
APKTIDJ_J3S3UhVqZKCX5EgKYnh9ez4pO9Hsr5YWv_5pXF5GUcLA
You can also try exporting the contact to a vCard .vcf file using the Share Contact button. I believe the iMessage key verification info won't be included. (But as you noted the most important thing is that it can't be modified)
I have ADP on my devices but no one else in my family has it on and we’re all in the same iCloud family.
Think journalists, politicians, public figures
What "risk" is there? I'm not aware of illegal spying by intelligence or law enforcement agencies having ever had any adverse consequences for them, in any country, at any point in history.
In most of the world everyone knows that journalists and lawyers are being monitored.
So as with a lot of matters in intelligence work it's subject to cost benefit calcs. If using it against a given target means they are incredibly unlikely to notice and it can then be used again and again, it doesn't take much target value for a government to deploy it which pushes towards more mass use. On the opposite end if using it means it will immediately become useless ever again, then the expected target value has to at least exceed the market cost (which itself will rise more quickly if 0-days are being consumed more quickly vs production), every time. In between is a spectrum of less or more use. Apple wants it as far towards "use it and lose it" as possible, but Trevor Perrin's argument makes sense here: even a relatively small increase in percentage of "use it and lose it" amongst the population could significantly change the mean weighted cost for threat actors.
If they could know for sure whether a given counter measure was deployed that'd reduce the cost again, but if they can't there is indeed a population benefit. It's like a mine field, there don't have to be that many mines scattered around to really hurt people's willingness to cross it!
All these three letter agencies operate in the darkness and away from the public eye. That's where they belong, because what they do to their own citizens is supposed to be unconstitutional. If they've really gotten so brazen as to operate openly instead of clandestinely and are still enjoying complete impunity then there really is no hope left.
If an adversary was discovered 0.1% of the time. There would be at least one person on a support forum with the text of the error that occurs when it fails...
If even 0.1% of users did that, it would be 2 million verifications. And yet nobody has ever announced they have found a non-matching key.
I mean for the intelligence agencies – not for Edward Snowden. I'm of course aware his life has been destroyed. But what consequences were there for the people and institutions responsible?
I'd mention there are two big but abstract consequences.
1) The leaks significantly harmed international relationships and the result of this game much more ammunition to political adversaries like China and Russia. People argue that this is a consequence of Snowden's leak but that's like arguing that a mass shooting was only problematic because the news informed everyone. In a way yes, but it's not like those people would be alive if the news didn't report... It's not the real problem even if you wanted to argue over-sensationalism.
2) It seriously galvanized the battle for encryption and laid the pathway for the subsequent rapid rise in usage of tools like Signal and more funding and energy for building tools like Matrix and many others. Google's Project Zero certainly was influenced by this event.
While I get that these are more abstract, they are certainly consequences and certainly nothing to be scoffed at. This is another problem with the perception of consequences, is that often they are more subtle or abstract. But subtle or abstract doesn't mean any less impactful, just more difficult to trace. More opaque. We don't have a counterfactual to prove that these things wouldn't have happened without the leaks, but I'm certain the timing and degree would have been different. Do you think the world would be different had he not released them? I don't think this is an easy question to answer because it requires being exceptionally detailed and paying very close attention to a lot of events.
I'm sorry, I just can not imagine asking a non-technical person to copy and paste that into a messenger and then needing to help them debug which letter they left off. It's hard enough to get them to validate "I see a cat, a dog, a horse, a pizza, and a basketball."
I guess I'll wait and see what happens with it, but I'm going to temper my expectations about people adopting this.
I don't know, we'll see what happens. Maybe I'll be wrong and the system will take off.
TOFU is a good idea when you don't want a central party arbitraring identities like with federated matrix. Makes little sense with apple.
However, from Apple's perspective, this does kind of feel like the worst of both worlds. People have to update their devices to the most recent iOS version, apparently being signed in on an old device just turns off verification, apparently it's not even per-device?
So if that's the case, Apple has all of the downsides of attestation right now. Why also have the downsides for keys and in-band verification as well. It does seem like it would be simpler for them to try and have this be something that's tied into iCloud that gets set up only by the person who wants to be verified. Again, I'm not saying I want that, I don't want Apple arbitrating identities, but... why wouldn't they? Why have a system with both downsides?
I'm sure there are caveats I'm not thinking of, but it does seem like they could probably do this in a less federated/decentralized manner?
There's larger UX problems surrounding when/where to copy and what the caveats are, but even ignoring them, people do seem to struggle with copy paste, especially cross-device stuff. I'm not sure what the solution is.
Not even close. The vast majority of journalists, lawyers, activists, even public figures, don't have the knowledge to secure their digital lives, don't have access to an expert to do it for them, and in many cases aren't even fully aware of the nature of the threat (beyond some vague idea along the lines of "I'm probably being monitored").
On top of that, it has been my experience that people who don't understand threat mechanics on a deeper level (such as active MITM attacks) quickly stop following whatever best practices they have been trained to adhere to (in this case, peer key verification), because those practices have no observable effect to them and without actually understanding what's going on, it's hard for them to see what the point is.
Citation needed. Because everything I have ever seen is that iOS users almost all leave on autoupdate and the move to the latest version is the overwhelming majority, very rapidly. Seriously, look at adoption each time over the last 5 years on a site like statista [0] or wherever, or various ones aimed at developers. If you want to claim that people at higher risk aren't part of the 60-85% I'd honestly be curious to see your numbers. Note I said "decent" not "best" practices. Whatever its flaws, mixed incentives, and issues (which are real), Apple has expended significant effort in making the normal default paths provide an ok baseline security for regular people and discouraging leaving them. Which isn't even something a lot of HNers like! If anything, I'd be unsurprised if HN types to lag in some respects because we want more control and to do things outside the well trod path. I've jailbroken a lot, is that something most people do? No.
In this specific case, the minimum needed to avoid a zero-day exploit is (by definition) merely to always have the OS updated and all security patches applied while staying firmly within the walled garden. Which it's objectively clear the super majority of regular people do. If you just go with the default and let Apple update your device whenever Apple wants, then it's a truism that anything you get hit by is something Apple hasn't yet patched. And in turn anything that raises the population probability that the 0-day actually gets noticed and potentially reported raises the risk of using the 0-day. The whole point of this feature is that it'd let a normal person who doesn't necessarily understand threat mechanics go "huh, that's funny" and then maybe say so on their social media/blog/wherever, at which point if even one person who follows them (and we're talking journalists or other types with enough influence to get targeted by major threat actors right?) recognizes what's going on and says "quick call Apple/security researcher/tell HN" now it's out there.
>because those practices have no observable effect to them
Literally the entire point of this new feature is to create an observable effect of tampering. Kind of a weird statement in context.
----
0: https://www.statista.com/statistics/565270/apple-devices-ios...
Opt-in additional protections, such as Lockdown Mode, which aren’t perfect but help are rarely enabled by those who need it, despite being marketed to people who are targeted. Part of this is that it’s opt-in, but part of it is that a lot of the people targeted aren’t journalists: they’re the spouses of political leaders, or random government leaders, who don’t have a good security posture nor do they have people managing their devices for them to create one.
Also, do note that just because someone appears to have tampered with a conversation doesn’t mean you’ve burned your 0-day: it provides no indication of how they did so.
Outside of the US, Android's market share dwarfs iOS's. And most people's Android phones are from vendors that stop providing updates, including security updates, after 2 years or so. There are hundreds of millions, if not billions, of vulnerable Android phones out there.
> Literally the entire point of this new feature is to create an observable effect of tampering.
Which, since most connections aren't tampered with, isn't actually observable in practice for most people. So the next time they meet someone new, they might not even bother asking them to do key verification.