Apple Now Encrypting iCloud Emails

[impaler]

Okay, looks like multiple stories are reporting emails between not just iCloud accounts, but between other providers, are being encrypted now. I verified myself via Google's transparency site. The stories also note they're not using AES, but using RC4, a much weaker protocol. Every time I'm encouraged by Apple thinking smarter about Internet security, they take half steps toward good solutions. I also remember they were one of the last large web-based email providers to switch to SSL encryption in the browser; another time they let their SSL certificate expire.

Safer email ? Transparency Report ? Google
Apple begins encrypting iCloud email sent between providers | 9to5Mac
Apple Now Encrypting iCloud Email Sent Between Providers | MacTrast

 

[2984839]

Anything short of end to end encryption using keys generated and stored locally on each user's device is purely symbolic. Why it still isn't the default is mind boggling.

 

[whsbuss]

Anything short of end to end encryption using keys generated and stored locally on each user's device is purely symbolic. Why it still isn't the default is mind boggling.

Well not everyone wants to pay for email certs and the free ones only last for a year.

 

[Alrescha]

Well not everyone wants to pay for email certs and the free ones only last for a year.

You can generate your own certs, or you can use PGP. You do not have to use a centralized authority. Such a solution is not without its challenges, of course.

A.

 

[2984839]

Well not everyone wants to pay for email certs and the free ones only last for a year.

GPG is free and open source and requires no certs. It's available for any vendor to build into their software by default. It's a better solution than S/MIME anyway.

 

[impaler]

You can generate your own certs, or you can use PGP. You do not have to use a centralized authority. Such a solution is not without its challenges, of course.

A.

While technically true, I believe nearly anyone that relies on iCloud for their primary email isn't thinking about these things at ALL. This story will definitely fly under the radar for the majority of their users.

 

[2984839]

While technically true, I believe nearly anyone that relies on iCloud for their primary email isn't thinking about these things at ALL. This story will definitely fly under the radar for the majority of their users.

That's the truth, and it's why GPG should be built in and used by default. It could be done quite transparently too.

 

[Alrescha]

While technically true, I believe nearly anyone that relies on iCloud for their primary email isn't thinking about these things at ALL.

Sure, but then we are back to 556fmjoe's point; if you are not encrypting end-to-end, this whole business of encrypting between providers is of little consequence (i.e.: your mail just gets read at the provider, rather than in transit).

A.
(I was more surprised to learn that *anyone* was doing it than I was to learn that Apple was one of the last major players to do it).

 

[ugahairydawgs]

You can generate your own certs, or you can use PGP. You do not have to use a centralized authority. Such a solution is not without its challenges, of course.

A.

So let me get this straight......

You want the company that has tried to move the post-PC market to a file system-less world to all of a sudden try to get users to start generating their own encryption certificates for email?

Seriously?

There are people that need serious encryption for their email. Those people do not use iCloud for that mail.

 

[Alrescha]

You want the company that has tried to move the post-PC market to a file system-less world to all of a sudden try to get users to start generating their own encryption certificates for email?

Please do not put words in my mouth.

Seriously?

And then object to something I did not say.

A.

 

[2984839]

So let me get this straight......

You want the company that has tried to move the post-PC market to a file system-less world to all of a sudden try to get users to start generating their own encryption certificates for email?

Seriously?

There are people that need serious encryption for their email. Those people do not use iCloud for that mail.

No, key pair generation should be done automatically upon app installation or setup, with the option to import existing keys. Give the user the option of encrypting their private key with a passphrase or TouchID, since making it mandatory discourages its use altogether. Ship public key to Apple's server. Any email to another iCloud email user retrieves the recipient's public key and encrypts the email with it by default.

Most of the code for this already exists in GPG, so it shouldn't be hard to implement. Performance will be fine across platforms with elliptic curve keys and AES-128. The user would have minimal interaction with the underlying GPG process, nobody would be forced to enter long passphrases, and nobody would have to remember to encrypt. If Apple does it, it will build the infrastructure of key pair equipped users to allow other providers to do it too.

 

[sjinsjca]

Anything short of end to end encryption using keys generated and stored locally on each user's device is purely symbolic. Why it still isn't the default is mind boggling.

Absolutely true.

There are some things that cannot be trusted to third parties today. Having trust certification managed by a certificate authority of any type stands revealed as absolute futility, given the multiple breaches of CAs over the past years, and the prevalence of things like Microsoft's Forefront "threat management gateway" and Packet Forensics' SSL-breaking man-in-the-middle machine, which dates back to 2010. References: https://www.grc.com/fingerprints.htm and http://www.wired.com/2010/03/packet-forensics/ ...in fact, major antivirus programs work by inserting themselves in the trust chain; see http://rants.effu.se/2013/03/Arrogant-Anti-virus-Doesn't-Appreciate-Your-Choices for a discussion of one major player's encryption-subverting approach. Given that the antivirus industry is stuffed with East Bloc talent, allowing them to man-in-the-middle all your secure communications would seem to be a risk all its own.

It used to be that I'd feel comfortable using SSL and such, thinking it would stymie most bad guys and at least inconvenience the really sophisticated snoops. Turns out that's false confidence, bigtime. Otherwise your communications are about as secure as they'd be if you spoke only in pig latin. Meaning, not at all.

So between purloined or hacked CA certificates, SSL-breaking utilities and hardware that may be on any network you use or connect-through even indirectly, and man-in-the-middle-ware willingly installed by users and corporations, it's clear that anything that really needs encrypting needs tools entirely under the user's control. Fortunately these are plentiful, such as the superb, free GPGTools for OS X's Mail.app (https://gpgtools.org). But people have to use them for them to work.

 

[Alrescha]

So between purloined or hacked CA certificates, SSL-breaking utilities and hardware that may be on any network you use or connect-through even indirectly, and man-in-the-middle-ware willingly installed by users and corporations, it's clear that anything that really needs encrypting needs tools entirely under the user's control. Fortunately these are plentiful, such as the superb, free GPGTools for OS X's Mail.app (https://gpgtools.org). But people have to use them for them to work.

Exactly. I happen to like S/MIME with locally-generated certificates, some people like PGP (in the guise of GPG). I have used both, and test them annually with my like-minded associates. Amusingly, we have nothing of any import to say, and if we did we would not use email...

A.
(who has always treated email as if it were written on a postcard)

 

[impaler]

if you are not encrypting end-to-end, this whole business of encrypting between providers is of little consequence (i.e.: your mail just gets read at the provider, rather than in transit).

A.
(I was more surprised to learn that *anyone* was doing it than I was to learn that Apple was one of the last major players to do it).

Speaking only for myself, I think both Google and Apple's terms of service are good enough for me to trust humans aren't scanning and reading my emails. This whole NSA thing is another story, and beyond scope of my knowledge. As far as SSL, I remember when MobileMe (me.com) actually was http only. Completely in the clear. Nuts!

Seems at times, "Security" is done as a marketing ploy to say they're safe.