Comment by sgammon
1 month ago
Ultimately, here is a user-level guide to this feature:
(1) Do you trust iCloud? iMessage?
If so, then you already trust weaker technologies than the ones in use here. In my opinion, trusting iMessage is sensible, and it has been tested (see: FBI and San Bernardino shooter's phone).
(2) Do you trust TLS (i.e. HTTPS)?
If so, then you already trust weaker encryption architectures than the ones in use here. Your counterparty over TLS necessarily needs to _decrypt_ the data you send it. That is not the case here; homomorphic encryption means Apple processes the data in _encrypted form_.
(3) Do you consider opaque derived data as risky as plaintext metadata?
If so (i.e. if you feel an MD5 hash of your phone number is just as risky as your actual phone number), then you may take issue with this feature. If not (you are OK with hashes of your data because you understand how encryption works, and that it must be transmitted either way, so a salted hash is obviously a strictly better choice), then you already trust weaker protections than the ones in use here.
(4) Do you trust Face ID/Touch ID?
Hardware-secured keys are a necessary root of trust which underpins all these features. If you don't trust these, you won't like this feature, and, in fact, all bets are off.
Thus, the feature is secure enough to be defaulted to an active state.
No comments yet
Contribute on Hacker News ↗