this post was submitted on 24 Aug 2023
24 points (100.0% liked)

The Signal messenger and protocol.

1639 readers
1 users here now

https://signal.org/

founded 4 years ago
MODERATORS
 

One feature of apps such as iMessage and WhatsApp is that your texts or voice calls are scrambled and private from everyone.

With end-to-end encrypted technology, no one but you and the intended recipients can know what you wrote or said — not hackers, the app companies or the police.

Except, not everything is end-to-end encrypted in end-to-end encrypted apps.

That could mean what you type in chats are saved on company computers that corporations such as Apple or your phone provider could read. Details such as the timestamps of every text to your boyfriend might not be under lock and key, either.

That’s not necessarily bad. Each end-to-end encryption choice has trade-offs. More privacy and security could also make it harder for you to use an app, or can shield activity of terrorists and child predators.

The mess I’m describing — end-to-end encryption but with certain exceptions — may be a healthy balance of your privacy and our safety.

The problem is it’s confusing to know what is encrypted and secret in communications apps, what is not and why it might matter to you.

To illuminate the nuances, I broke down five questions about end-to-end encryption for five communications apps.

Is the content of every message automatically end-to-end encrypted?

  • WhatsApp: Yes

  • Apple’s Messages: No

  • Messages by Google: No

  • Meta Messenger: No

  • Signal: Yes

The biggest encryption caveat is for the built-in texting apps on iPhones and most Android phones in the United States. Those are Apple’s Messages app, also known as iMessage, and the Messages by Google app.

If you use Apple’s app, texts that you send and receive are only end-to-end encrypted if everyone else in the chat is using that app.

If the text you see is in blue, the contents of messages are end-to-end encrypted for everyone in the chat.

Even if Apple wanted to read your texts, it doesn’t have a key to unscramble those messages. (There’s a caveat in the next section about backup copies.)

But the dreaded green bubbles are Apple’s warning. If you’re in a group chat with three people using Apple’s chat app and one person on an Android phone, no one’s texts are end-to-end encrypted.

Each of your mobile phone providers might save every word of your communications. Those companies could, in theory, read your messages, lose them to thieves or hand them over to police with valid legal orders.

Google’s chat app has the same encryption loophole. (For most people in the United States, Messages by Google is the standard texting app on Android phones.)

Your texts in Google’s chat app are only end-to-end encrypted if everyone else is using that app.

Google shows if your texts are end-to-end encrypted with signs such as a lock icon under texts and another on the send button.

Are backup copies of your messages automatically encrypted, with no option for the app company to unscramble them?

  • WhatsApp: Yes

  • Apple’s Messages: No

  • Messages by Google: Yes*

  • Meta Messenger: No

  • Signal: Yes

WhatsApp and Signal don’t let you save copies of your texts or call logs to the app makers’ computers.

That means they don’t have saved message copies in a cloud that crooks could break into.

But if you buy a new phone and forget your password, WhatsApp and Signal can’t really help you transfer all your old texts.

If you back up copies from Apple’s chat app and Meta Messenger, the companies have the keys to unscramble what’s written in encrypted chat copies. Again, these unscrambled text copies can help in criminal investigations or they could be stolen or misused.

Apple recently introduced a choice to fully end-to-end encrypt backup copies of iCloud accounts, which means not even Apple could unlock your scrambled backup texts.

If you pick that option, Apple can’t help recover your chats if you forget your account password.

This risk is why Apple makes this feature a pain to turn on, and requires you to list a plan B if you forget your password, such as a personal contact who knows your decryption code.

WhatsApp has an option to save backup copies of your messages to Apple’s or Google’s cloud. WhatsApp doesn’t save those backups.

For Messages by Google, the company says chats backed up to the company’s computers are automatically encrypted – as long as your Android phone has a screen that you need to unlock with a password or another method.

Google gets an asterisk because it says it cannot unscramble your backup texts in its cloud. But it can for attachments like photos.

Meta Messenger has been testing an option for people to turn on fully end-to-end encrypted backups.

Does the app save your account details in a way it can access?

  • WhatsApp: Yes

  • Apple’s Messages: Yes

  • Messages by Google: Yes

  • Meta Messenger: Yes

  • Signal: Yes*

Most end-to-end encrypted apps save some “metadata,” or details about you or what you do with the app. They can retrieve the metadata if necessary.

The app companies aren’t necessarily specific about which metadata they save and can unlock. This information can make you less private– and it can help in criminal prosecutions.

WhatsApp, for example, may have your general physical location when you use the app and the names of your group chats. Under legal orders, WhatsApp has the ability to log the phone numbers your number communicates with.

WhatsApp says these details can help identify spammers and aid in investigations of potential criminal activity including people who share images of child sexual abuse.

Signal is a yes with an asterisk because it doesn’t save much the app can retrieve – just a phone number used to set up an account and the last time the account connected to Signal.

Are disappearing messages an option?

  • WhatsApp: Yes

  • Apple’s Messages: No

  • Messages by Google: No

  • Meta Messenger: Yes

  • Signal: Yes

Even with end-to-end encrypted texts, someone on the receiving end could leak them or turn them into the police.

For extra privacy, WhatsApp, Meta Messenger, and Signal have an option to set texts to automatically delete in as little as 24 hours from the phones of everyone in a chat.

This isn’t ironclad, either. Someone could take a photo of your messages before they disappear.

Does the app use the Signal protocol?

  • WhatsApp: Yes

  • Apple’s Messages: No

  • Messages by Google: Yes

  • Meta Messenger: Yes

  • Signal: Yes

The Signal protocol is considered a gold standard. No one yet has found holes in the end-to-end encryption technology.

Read more:

you are viewing a single comment's thread
view the rest of the comments
[–] tcely@fosstodon.org 1 points 1 year ago (1 children)

> It’s about reducing the cognitive load in knowing what’s secure vs what isn’t.

I completely agree with this! However, pushing both the decisions and the actions onto the user doesn't accomplish this. Imagine if you had to install different apps for http and https, then assemble the pieces of each page yourself before viewing it and decide which app to use to send your next request with.

This scenario is both error-prone and less secure.

@KLISHDFSDF

[–] KLISHDFSDF@lemmy.ml 1 points 1 year ago

Good analogy, although I think it falls apart when we consider that SMS is a legacy messaging protocol (over 30 years old now) that is insecure, unreliable, doesn't work over the internet and lacks a ton of features considered mandatory on various other messaging platforms, etc. To compare SMS to any modern messenger is doing a disservice to the all the bells and whistles we've taken for granted in the age of modern messaging platforms.

Another example is FTP being dropped from Chrome and Firefox. Should Mozilla and Google have continued including support for that legacy protocol just because it's been there historically? Is it a bit more complicated for some users who need to use FTP? Probably, but they should be in the minority. Sometimes the best path forward is to deprecate legacy tech.