cross-posted from: https://kbin.projectsegfau.lt/m/[email protected]/t/26889
Google just announced that all RCS conversations in Messages are now fully end-to-end encrypted, even in group chats. RCS stands for Rich Communication Services and is replacing traditional text and picture messaging, providing you with more dynamic and secure features. With RCS enabled, you can share high-res photos and videos, see typing indicators for your…
Fun fact, a group I knew in uni made an end to end encryption program that sent messages through Google more than a decade ago and Google got really, really mad at them threatening to shut down all Google accounts associated with all IP addresses they used.
Guarantee it’s not fully E2E.
It’s E2E, E2E isn’t really something you can be sneaky about unless you roll your own encryption and then make claims about it totally being safe bro
They, however, run the app you are using to type everything, the keyboard you are using to type everything and the os you are using to type everything. If they want something, they don’t need to look at your in flight messages.
The trust doesn’t even have to be in the encryption, they could very well use the same signal protocol. They would only need a copy of the keys you are using and you wouldn’t even know… That’s the problem with closed source programs, there is no certainty that its not happening (and I’m not saying it is, I can’t prove it, obviously, but the doubt remains, we need to trust these companies not to screw us over and they don’t really have the best track record in that…)
As if you’re any more comfortable with open source software, actively vetting the code, building it yourself, running your own server.
For all you know, Signal keeps a copy of your keys, too. And happily decrypts everything you send and sells it to russian data brokers for re-sale to advertisers.
There is a post gathering all security audits performed on Signal messenger:
https://community.signalusers.org/t/overview-of-third-party-security-audits/13243
And anybody can double check it, because it’s open source. And not only is it open source, but they have reproducible builds which mean you can verify that the apk you download is the same version as is hosted on github. They also have server code published. Pretty rare. Additionally experts in the field themselves endorse signal.
Your point is valid for many projects, as open source is not a guarantee for security. But signal is a pretty bad example for that.
Signal had their server code published? I thought they closed sorced that. I even didn’t notice.
It was left unupdated for a while, but it’s been updated again: https://github.com/signalapp/Signal-Server
But that’s kinda my point, you rely inherently on someone else doing what open source allows you to do. So in the end you can be tricked just the same.
I mean of course, Signal is a pretty clearcut case, but even with that one you - and I’m guessing here but tell me it ain’t true 😅 - probably do not actively verify things. You did not check the source code. You did not build your own APK to install it. I don’t think you can build the desktop version yourself but I ain’t entirely sure, granted. You probably did not probe the network data to see whether the built APK actually does what the source code promises it’ll do or has been swapped out for one that allows the server they’re running to log all messages sent.
And so on.
My point was entirely that even in the easiest of cases where we could do all of that, we do not actually do it. Hence the point of being able to do that is usually extremely moot.
And I say this as someone who, at work, checks external libraries we’re using, which is an insanely time-consuming job that entirely explains why no one in their right mind does this without being paid for it, that is, in their spare time for private use.
If you can’t trust peer review from experts in a field, many aspects of society break down. For example:
- How can we trust the word of an engineer that says a bridge is safe? Did you verify the calculations yourself? Have you personally tested the tensile strength of that rebar? Better to just avoid bridges to be safe.
- How can we trust the word of a doctor when they prescribe something? Did you personally look up all the possible side effects and made sure you’ll be safe? Do you research clinical trials yourself to verify efficacy? If you don’t trust your doctor, you’ll be right at home with the anti-vaxxers.
- How can you trust a lawyer to argue your best case? There’s thousands of pages of law that most people haven’t read. Do you know for yourself that there isn’t some past precedent that completely flips your case? Defending yourself is a bad idea for a lot of reasons.
Nobody can be an expert in every field. It’s completely unfeasible for most people to verify source code themselves, but that doesn’t mean open source doesn’t matter. Society operates on a degree of trust in our fellow humans that ARE experts in their field. The more experts in agreement the better, since nobody is infallible.
I’m not sure what you’re suggesting people do? Go live in a hole by themselves because the world is full of liars and deceivers? Or become superhuman and hand verify every possible thing that could negatively effect them?
No of course not. I’m sorry if I’m expressing this badly, my point was merely that open source tends to add a false sense of security for people. The relevant ability to verify is factually never used, and experts that review the code might as well have had access to it without it being open sources (see Whatsapp’s audit a while back).
That is not to say that Open Source is not a good thing, don’t get me wrong. But I feel we tend to massively overstate what it adds for us personally. We put too much value on that side of it, as if it automatically means every user has personally verified everything.
I’m not qualified to determine personally the situation of signal, or any other app. But I don’t need to. There are several experts who are and the fact that multiple of them have analyzed and evaluated an app as signal should give us a lot of confidence in their conclusions.
We need to trust experts, and I don’t mean individual experts, but the experts as a whole, especially when they verify each other’s work. This is what it’s about. You can’t do everything yourself, you got to trust some form of collective.
Bullocks
They can… everything is closed there. It can just be “encrypted” for your eyes
It’s E2E, E2E isn’t really something you can be sneaky about unless you roll your own encryption and then make claims about it totally being safe bro
With a closed source app? Of course you can. How is anyone supposed to know what keys you use for encryption? Doesn’t even need to be a remote one - just the key generation be reproducible by the developer.
I don’t know if you’re understanding that that’s his point.
If Google can reproduce the key it’s not fully “end to end” unless one of the "end"s is Google.
I know they have unencrypted versions from my phone because my tablet and desktop version of messages seamlessly connects to the chat. So it’s probably be E2E in transit alone.
Sent messages “through Google”? Like Chat? Email? That’s such an ambiguous statement.
E2EE has been a available approaching three years now. I’d imagine if they were lying and defrauding the population, someone would have found out by now. This announcement is just that it’s on by default for everyone.
Hangouts.
It doesn’t matter if it’s E2E or not when Google can spy on you directly on the phones at either end.
Pretty much
You can use whatever chat clients you want. Multi-billion dollar companies control your OS. They don’t need to sneak in a rootkit: The OS is their rootkit.
E2E encryption is theoretically nice in the event there is a man in the middle at the cell tower or company. It is of arguable (zero?) value in sim spoof situations. But it is better than not
But still, don’t trust it for anything that google/apple might care about. Because transmitting and processing voice is hard. Effectively grepping a screen for such dangerous words as “terorrism” and “union” is almost zero cost. Like, I don’t expect google to give a shit about if you like hookers or buy drugs or whatever. But if you are involved in anything that could impact their bottom line…
Reminds me how much I hate Apple.
Thanks Google for making Android.
Now please turn the evil knob down a notch and go back being the awesome company you once were.
Edit: typo
The fuck does this have to do with Apple?
Doesn’t really explain what google enabling E2E on RCA has to do with Apple
He’s talking about RCS in general. Apple won’t implement it as it’s a huge threat to iMessage which is a service that keeps a lot of the US users buying their phones.
I feel like Google has everything to gain and apple has more to lose by implementing this. It’s not good guy Google, bad guy Apple. It’s a business decision. I say this as an Apple hater.
If the shoe was on the other foot Google would be doing the same thing.
Google tracks you everywhere you go all over the internet. Like 90% of websites have a script that calls home to Google to let them know you visited. That’s their business model.
Now, open up the RCS API to third party texting apps… Like you said you would many years ago
Yes! I’d love to go back to using Signal as my main messaging app.
Kinda wary to switch in case it turns up in the Google Graveyard.
Fortunately I think this is one of the ones that will stay around.
Definitely happy that this is happening, good on them. However in practice since most of my friends are on iOS I’m still reduced to SMS/MMS and a terrible user experience
There’s an app currently in beta called Beeper that aggregates a bunch of chat apps into one and also lets Android users connect to iMessage using an Apple ID. Highly recommend getting on the wait-list for it, the app has been great and the team working on it are very responsive and transparent.
Unfortunately RCS support is still in active development so anyone using it may not want to connect their number yet (unless they’re cool with SMS’ing with other Androids).
Oh yeah I heard about that! Do you use it? How’s the iMessage support on Android? Ideally I’d love if my chats with Android users go over RCS but chats with Apple users go over iMessage.
That all said relaying my chats through a 3rd party doesn’t make me feel all warm and fuzzy inside…
My entire universe uses whatsapp exclusively 🤮 and I refuse.
Get better friends /s
but ya, the only person I text who is on iPhone is my “influencer” sister. Everyone else uses Android, and I can use RCS.
But everything still kept in their cloud right?
As an Apple owner I hope Apple will implement this too. I live in a country where everybody communicates through WhatsApp unfortunately.
What do you mean? iMessage is fully end to end encrypted.
As far as google messages RCS goes, that’s googles proprietary version of RCS.
I think they might mean they wish Apple would support RCS in general (which Apple has been refusing to do)
For good reason. Honestly anyone pushing for RCS is an idiot or doesn’t understand what they are pushing for.
Among many issues (including E2E missing by default) the idea of giving any control back to carriers is just stupid.
You’d rather have the yellow billion dollar company have full control instead of the cyan one? Who cares, it makes no difference! 🤷
At least RCS is a standard. That’s not a big plus in this particular case, but it is one, and none of the other walled gardens have an equivalent thing to even bring to the table.
Google RCS and RCS the standard are not the same thing. Third party apps are not allowed to plug into Google RCS. This is why you won’t find any RCS open source alternative for Google Messages.
Google is just trying to promote their own walled garden under the guise of an open standard. If they were genuine about this they should allow you to just use any replacement, just like you can replace the stock SMS app on Android.
The carriers don’t control RCS they kept trying but gave up
Look at that ratio, must be a lot of us idiots around huh
iMessage is not fully E2E encrypted unless you have advanced data protection turned on. If you don’t, the keys to your conversations still rest on Apple’s servers.
I don’t think it’s true as long as you don’t make iCloud Backups
This is the correct answer.
No that’s only for iCloud backups of your iMessages.
It’s full E2E encryption even without that turned on. However, just because something is encrypted doesn’t mean it’s secure, as you point out.
Regardless, governments/organizations have gotten very good at finding vulnerabilities and exploiting them before academic and/or private sector security groups discover the same vulnerabilities, who will then go and publish their findings which eventually leads to them getting patched. As a side note: For anyone interested in some modern hacker/cybersecurity history, I recommend reading the book, Sandworm by Andy Greenberg. It’s pretty damn wild what it covers and that’s only a fraction of the modern state of global cyber warfare (and yes, just about the entire world has been engaged in what pretty much amounts to cyber warfare/espionage/sabotage for the last 10-15+ years).
WhatsApp is already E2E encrypted, it always has been. There’s a circlejerk around here about “not true E2E!”, but that’s just straight up nonsense.
but still leaks a lot of metadata to Facebook/Meta
Name, service start date, last seen date, IP address, and email address, that’s it. Proof here. Everything Google and Apple also collect. If that’s a problem for you use Signal, not iMessage.
I get that, but Meta/Facebook has a massive track record of not giving a shit about its users. I wouldn’t recommend trusting them, they’ve shown their true colors many times over.
You bet it’s end and encrypted My key your key are friends key the CIA’s key… Wait, what?
/s… I hope
The fuck is google messages? Is this what replaced hangouts?
Hilarious assumption, but nope. It’s just the default sms app on google phones.
Google Chat replaced hangouts and is not E2E.
Google Messages is the Android default SMS App, at least on Pixel phones. It is Android’s best equivalent to “iMessage”
It’s the default SMS application on Pixel devices.
On many devices, actually. Over 34 OEMs. https://jibe.google.com/partners/oems/
This is cool and all but one feature I’d love to see is search functionality actually working
I think this is the first feature RCS provides which I want.
Do you know what RCS all provides? because it provides a LOT of great features. I mean the biggest one is 105MB file sizes. I guess you can stick with your carrier limited MMS, which is usually set to 300KB. Or maybe you can pay for Discord Nitro to send more than 8MB files? How about Snapchat which is limited to 60 seconds video files? Perhaps Telegram, that limits your upload speed to a snail pace unless you buy Telegram Premium?
I haven’t attempted to send a file via txt in almost 20 years. They’re txt messages… you know, for text. I also don’t use discord nitro, snapchat, or telegram.
So how do you send quick photos and videos? Don’t tell me you’re the person that sends a link lol
It doesn’t really come up since I use txts to talk to people.
Why wouldn’t one use links? Everything is pushed to the cloud anyway. Uploading them again is a lot of extra power used for no gain.
Still won’t be using it. Sworry!
More like, sworry not sworry. Am I right?
