I was looking at this article, but found it confusing. I guess the main issue is cross platform messaging.
I also read somewhere that Apple was going to stop using the green bubbles versus the blue bubbles. For me I always thought those were important because it indicated whether the other person was an Apple user and I could send my message for free even internationally. If it’s green, aren’t there possible costs for international messaging?
Any opinions on this?
The Internet and the public phone networks have never been secure. Hackers, including state-sponsored hackers and law enforcement agencies have always been able to tap anything they want, and even the “good guys” don’t always care about legal formalities like getting warrants.
If you want anything to be secure, you need to encrypt it yourself, using software that is known to be secure. Some (but definitely not all) examples include:
Web browsing using HTTPS URLs, and disabling ciphers known to be insecure. All modern mainstream web browsers should already support this.
Encrypted e-mail. While most mail clients and servers and web-mail apps do encrypt the data while it is in transit, and some mail servers may encrypt your mailboxes, the only way to guarantee security is to end-to-end encrypt the messages themselves.
Unfortunately, this is much easier said than done. While the S/MIME protocol has existed for a long time, and many mainstream mail clients support it (including Apple Mail, Mozilla Thunderbird and Microsoft Outlook), you need more than a compatible app. You need to have a security certificate for each account, you need to send your public key to all your recipients, and you need to get public keys from your recipients (which means they also need a compatible app and their own certificates).
This is a lot of work that a lot of people need to do, so I’ve only seen it in corporate mail environments where an IT department can create certificates for all employees, pre-install the certificates for each user, and make the public keys available via a corporate LDAP directory.
Messaging. Use an app that supports end-to-end encryption. iMessage is one. The Forbes article mentioned a few others. I wouldn’t trust an app from Meta or Google - they have not exactly proven themselves trustworthy when it comes to privacy.
But I find it amusing and ironic that the FBI wants you to encrypt your content, but use software that will give law enforcement a back-door. As if nobody else will ever exploit that back door, and that law enforcement can always be trusted to use that back door responsibly and legally.
It’s more than a little ironic, given that Salt Typhoon (the threat that prompted the “use encrypted apps” followed by “uh, we meant use broken encrypted apps”) is believed to have exploited a legally-mandated backdoor that was intended to give only “the good guys” access to the phone networks.
But… It’s only end-to-end encrypted if it’s Apple-device to Apple-device, right? Isn’t that one point they were making?
iMessage falls back to using SMS or RCS to connect to Android devices - protocols that are not secure. For a cross-platform solution, Threema or Signal are good IMO. Whatsapp would be OK if you’re fine with a FB app, but there are good reasons why one might not be.
I rarely use WhatsApp, but it’s handy for this case: I am in Japan and 2 people I do some work with are in Ecuador and the U.S. Amongst the three of us, two are iPhone users and one is an Android user.
WhatsApp lets us each have accounts with our country’s phone numbers.
If I tried to use iMessage then the person on an Android in another country couldn’t text me for free and I couldn’t text him back for free.
But with WhatsApp we can all text each other for free. And even though it’s owned by Meta, a Facebook account isn’t required.
So that’s one situation.
Another is after Apple gets rid of the “green bubbles” soon I won’t know if I’m texting someone internationally for free or not. Blue has always meant “another Apple user” so we could communicate with no international fees.
I have not read that and I don’t think it’s true. What is true is that there will be no color difference between RCS and SMS sent messages - they will always show green. (Note that it’s only your messages that show color, and it’s after they are sent.)
True. I believe that an encryption standard for RCS is being developed and Apple intends to support it what it’s available. Google has a proprietary encryption method for Android, but Apple will not support it unless it’s adopted as the standard, which I believe is not being considered.
There is an option for that in the settings for messages that you can turn off (“Send as text message”.). I thought that the default was for that to be off? I could be wrong about that though.
And to be pedantic it’s not just android devices - it would be for flip phones too, for example. But, sure, these days most people use smartphones, so it would be mostly messages sent to Android users.
I think Signal is great. WhatsApp is also very good and uses Signal’s open source encryption protocol. That’s said, It’s also possible to flag messages for moderation which makes the message unencrypted to Meta employees, and Meta can see a lot of metadata from messages. See WhatsApp “end-to-end encrypted” messages aren’t that private after all - Ars Technica (this is a three year old article - maybe it’s no longer true?) This is what Meta says about end-to-end encryption: https://faq.whatsapp.com/820124435853543
Telegram is another popular option, but it’s using a proprietary encryption algorithm that’s never been certified by neutral third-party security analysis, as far as I know, and I believe it’s considered doubtful that it’s truly hard-to-break encryption. I also think it’s only end-to-end encrypted for one to one messaging - groups are not end-to-end encrypted without setting an option (if I remember correctly.) So I wouldn’t use it.
Another vote for Threema. If cross-platform and secure is what you want, where I’d never resort to anything that has anything remotely to do with Facebook, Meta, or Zuck, then Threema does it for me. They take their privacy laws pretty serious over there so good source, independently vetted, works. The server side is not open source, but neither is iMessage. What I know is that whenever they got vetted, they either came out great or they fixed whatever had been reported (like iMessage).
True. For me, that’s fine. Almost everybody I know is using an iPhone or an iPad. But I recognize that this isn’t the case for everybody else.
I had no problem with Telegram until this news from September:
The French government invited Telegram’s CEO for some official meeting and then promptly arrested him when he entered the country, claiming that he’s personally responsible for alleged criminal activity using his service.
They let him out on $5.5M bail after he promised to work with law enforcement. The article claims that this cooperation will only involve public areas of the web site, which are not secure, but I remain suspicious that he may have been forced to commit to adding government-access back doors.
As for What’s App, Durov claims that it already has backdoors, which is why governments are so eager for the world to use it:
Scial barrel: Telegram founder makes shocking backdoor claim about WhatsApp.
I agree that Threema is also great but in order to communicate with someone you need to share QR codes to share the public keys. If you are messaging with someone you physically see regularly, it’s a great choice. If not, then you need to figure out a good way to securely share the QR codes, and secure messaging is the thing you’re trying to do in the first place.
The FBI’s main point from the article is that they want providers to switch from end to end we can’t decrypt it encryption to “responsibly managed encryption” which the FBI defines as the provider having a back door so that they can provide clear text to the FBI on receipt of a court order. It’s just a sneaky way of trying to get a back door without calling it a back door. I can understand the desire of law enforcement for that to prevent the going dark as they describe it…but it’s fundamentally against Apple’s long standing policy on end to end encryption and a law enforcement back door won’t remain a law enforcement only back door for long.
Relay through a trusted 3rd party can be used, if available, which is of course not always the case.
My personal view, as somebody who follows security and privacy issues, is to not use Telegram at all, to avoid all Meta properties and products as much as possible, and to prefer Apple services over Google services for daily use where possible.
Why?
“Telegram clearly fails to meet this stronger definition for a simple reason: it does not end-to-end encrypt conversations by default. If you want to use end-to-end encryption in Telegram, you must manually activate an optional end-to-end encryption feature called ‘Secret Chats’ for every single private conversation you want to have. The feature is explicitly not turned on for the vast majority of conversations, and is only available for one-on-one conversations, and never for group chats with more than two people in them.”
Is Telegram really an encrypted messaging app? – A Few Thoughts on Cryptographic Engineering ↩︎
“The company, which offers features that enable criminals, terrorists and grifters to organize at scale and to sidestep scrutiny from the authorities, has looked the other way as illegal and extremist activities have flourished openly on the app.”
https://www.nytimes.com/2024/09/07/technology/telegram-crime-terrorism.html ↩︎
And back to an earlier question: if free SMS messages are needed, many mobile phone carriers include both domestic and international SMS’s in their plans (at least in my location, I don’t know anything about how Japanese mobile plans are structured).
Wow. This topic generated more replies than I imagined. And I realized I didn’t really know the details of differences between iMessage, RCS (which I had never heard of), and SMS/MMS (which I always assumed was just standard texting where MMS became a more modern version at one point). So I found this page at the Apple site which distinguishes between it better: What is the difference between iMessage, RCS, and SMS/MMS? - Apple Support
While end-to-end encryption definitely is important under certain circumstances (e.g. telling your sister a credit card number) my immediate concern was availability and cost and what the “blue vs green” bubble meant to me.
When I send a message to a phone number, what the blue bubble has always meant to me is that the other person is also an Apple device user. So it didn’t matter where they were in the world, there would be no extra charge for messages between us.
If I start typing the message and it’s a green bubble it means the person on the other end is probably an Android user or, as somebody else mentioned, a pre-smartphone user. In that case I think there might be per message charges both domestically and internationally. I need to check into this some more when Softbank opens, but just searching around it seems like all the major U.S. carriers (ATT, Verizon, etc.) seem to have a per text charge. And internationally it could be higher.
That’s where WhatsApp seemed handy. In the situation I mentioned we have three colleagues: Doug is in Japan, Lisa is in the U.S., and Jon is in Ecuador. Lisa is an iPhone user, but Jon is an Android user. I think if we just use SMS/MMS via our default system texting that there would be extra costs involved.
WhatsApp (despite being owned by Meta) comes in handy because around the world it seems most people have it installed and it’s free to use and you can use your phone number anywhere in the world to register. So Lisa, Jon, and I can talk for free about this and that involving work issues, when needed. Usually it might be something simple like, “Jon, please check your mail about this new problem we found.”
A side-note: Here in Japan, the universally-used cross-platform messaging system is LINE. My neighbors are mostly Android users (in fact, aren’t most smartphone users Android users?), so we communicate with each other via LINE.
We all avoid just ordinary texting mainly because of extra carrier fees.
It does seem in the Forbes article I originally quoted that the green bubbles aren’t disappearing. That’s reassuring - not for encryption reasons only, but for cost reasons.
I also have Signal and Telegram installed, but don’t use them. I just opened Signal and it is telling me my device is no longer registered. I don’t know whether it’s worth registering it again. I just opened up Telegram for the first time in a long time and see a few old chats from people I know. I don’t really know the benefits of using these apps. Doug Miller here says Signal is great, so I guess I’ll re-register my device. I think I’ll not get into Threema, which was mentioned here. The purpose of all these apps, in the end, is to communicate with people. So it’s easiest to use well-known solutions that everybody is likely to have.
Yep. It means the message will go out over iMessage. Which means it is Internet data (and will be billed as data, not a text message) and the recipient will be reading it on an Apple device (Mac, iPhone, iPod, iPad, etc.)
It could also be an iPhone user who doesn’t have a data connection and is therefore receiving the message as SMS. Years ago, when I had limited my daughter’s mobile bandwidth (to prevent costly overages), she would usually disable cellular data, relying on Wi-Fi for data content. If I would text her when she’s away from Wi-Fi, it would go out as a green-bubble SMS.
One thing to look out for is the configuration option Settings → Apps → Messages → Send as Text Message (iOS 18 - may be in a different location on older iOS releases). This feature will tell your phone to switch from iMessage to SMS/MMS/RCS when it can’t deliver a message via iMessage.
If you are sending to an Apple user who sometimes doesn’t have Internet connectivity (like used to be the case for my daughter), then this fallback can compromise privacy. You can, of course, disable the feature, but then you’ll get delivery failures when an Apple user is off-line. You need to decide which is the worse problem.
Definitely true. When I took a group trip overseas last year, we created a WhatsApp group chat for our tour group. I also used it to voice-call (not just chat) with personal friends I had there. But I don’t use it except for chatting with those people who have no other means of contact. And I am very careful about what I say because I don’t trust Meta one whit about privacy (and, of course, because there’s no such thing as a secret in a group chat of any kind).
Quick & dirty synopsis: If you want E2E encryption for your TXT messages, you’re already getting it if you use Apple’s Messages app whenever you see blue bubbles (which means that your message was sent end-to-end encrypted – which won’t happen at least with SMS/MMS messages, and at least for the near term with RCS as well).
If you want to use E2E with those other folks, you’ll need to use a different messaging client app … and so should they.
Somewhere there’s a chart showing which clients harvest from you and your device. I can’t seem to locate it any more, but IIRC correctly, it’s like this:
Threema allegedly doesn’t collect anything. Though the downsite to using it is that you have to exchange keys in advance, separately with each user you want to communicate with.
Signal wants you to register your Signal app with them, using your phone number. That’s so you can look up and send an encrypted message to another user (by looking up their number with Signal). [Alternatively, you can exchange Signal Usernames (which are very easy for you to change at any time) … and apparently the other user need ever know your phone number …] Presumably, Signal collects the phone number and/or username of each message exchange – which do not retain, and afterwards they don’t have useful to share with law enforcement about the conversation.
WhatsApp collects a lot of data through its app (which is from Meta). How much do they give (and to whom)??
Telegram collects even more, and acknowledges that it gives anything they request to (at least) law enforcement … and only private chats are actually encrypted anyways.
I also found this article a good read over breakfast for people like me who didn’t know what RCS was and who are acryonm-challenged and didn’t know that E2EE stood for end-to-end encryption! What is RCS and how is it different from SMS and iMessage?
You can still use your phone number - I do - but you can now also use a user name.
How quickly we all forget…Signal received a thorough write up right here on TidBITS!