Comment by tptacek
4 years ago
The bugs we're talking about have almost nothing to do with the underlying message transport, but rather the features built on top of it. Replacing iMessage with IRC wouldn't solve anything.
4 years ago
The bugs we're talking about have almost nothing to do with the underlying message transport, but rather the features built on top of it. Replacing iMessage with IRC wouldn't solve anything.
No, but my point is about complexity.
If all iMessage allowed were ASCII text strings, do you think it would have nearly the same attack surface as it does now, allowing all the various things it supports (including, if I recall properly, some tap based patterns that end up on the watch)?
In a very real sense, complexity (which is what features are) is at odds with security. You increase the attack surface, and you increase the number of pieces you can put together into weird ways that were never intended, but still work and get the attacker something they want.
If there were some toggle to disable parsing everything but ASCII text and images in iMessage, I'd turn it on in a heartbeat.
Virtually no one wants to use a messaging platform that just sends ASCII strings.
It's true that if you constrain the problems enough, ratcheting them down to approximately what we were doing with the Internet in 1994 when we were getting access to it from X.25 gateways, you can plausibly ship secure software --- with the engineering budgets of 2021 (we sure as shit couldn't do it in 1994). The problem is that there is no market to support those engineering budgets for the feature set we had in 1994.
> Virtually no one wants to use a messaging platform that just sends ASCII strings.
That's just about all I use for messages. Some images, but it's not critical. And if I had the option to turn off "all advanced gizamawhatchit parsing" in iMessage to reduce the attack surface, I absolutely would - and you can bet any journalist in a hostile country would like the option as well.
The whole "zero click" thing is the concerning bit - if I can remotely compromise someone's phone with just their phone # or email address, well... that's kind of a big deal, and this is hardly the first time it's been the case for iMessage.
If software complexity is at a point that it's considered unreasonable to have a secure device, then it's long past time to put an icepick through the phones and simply stop using them. Though, as I noted above, I feel this way about most of modern computing these days.
5 replies →
The "and images" part has historically been a rich source of software exploits. I would guess that chat with full Unicode support but no images would be easier to implement to a high degree of security than ASCII text plus images.
First of all, getting rid of Unicode is not going to happen. Don’t ask.
Getting rid of images might be doable, but still difficult. Talking features away from people is politically difficult.
You know what else is "politically difficult"? Getting journalists and such killed because they're in a hostile nation, and your phone is vulnerable to remote zero-click exploits with full pwnage.
Give users the option. If you're not 100% confident in your parsing (and nobody should be), allow users the option to restrict parsing to something that's limited, tested, fuzzed, and generally trusted. People who care can turn it on. People who want touch memojis on their watch can leave it off.