>You do have to wonder if apple backdoored their IM client, I am a little curious about Apple's iMessage encryption system. From the bits and pieces I've picked up across the net, it sounds like Apple holds a keyring containing the public keys of all your iMessage-using devices. When someone wants to send you an iMessage, they download the keyring and encrypt the message for all of those public keys. When you add a new device to your account, Apple adds its public key to the keyring, all future messages are encrypted for that device as well, and all your devices show an alert that a new device is on the account.
If that's correct, I'm curious how, when I add a new device to my iMessage account, all my old IMs show up in the chat history on the *new* device. If my understanding is correct, it appears that someone who possesses a cleartext copy of the messages is re-encrypting them with the new device's public key. Will On Thu, May 16, 2013 at 2:52 PM, Adam Back <[email protected]> wrote: > So when I saw this article > http://www.h-online.com/**security/news/item/Skype-with-** > care-Microsoft-is-reading-**everything-you-write-1862870.**html<http://www.h-online.com/security/news/item/Skype-with-care-Microsoft-is-reading-everything-you-write-1862870.html> > > I was disappointed the rumoured skype backdoor is claimed to be real, and > that they have evidence. The method by which they confirmed is kind of odd > - not only is skype eavesdropping but its doing head requests on SSL sites > that have urls pasted in the skype chat! > > Now I've worked with a few of the german security outfits before, though > not > Heise, and they are usually top-notch, so if they say its confirmed, you > generally are advised to believe them. And the date on the article is a > couple of days old, but I tried it anyway. Setup an non-indexed > /dev/urandom generated long filename, and saved it as php with a > meta-refresh to a known malware site in case thats a trigger, and a passive > html with no refresh and no args. Passed a username password via > ?user=foo&password=bar to the php one and sent the links to Ian Grigg who I > saw was online over skype with strict instructions not to click. > > To my surprise I see this two entries in the apache SSL log: > > 65.52.100.214 - - [16/May/2013:13:14:03 -0400] "HEAD /** > CuArhuk2veg1owOtiTofAryib7CajV**isBeb8.html HTTP/1.1" 200 - > 65.52.100.214 - - [16/May/2013:14:08:52 -0400] "HEAD /** > CuArhuk2veg1owOtiTofAyarrUg5bl**ettOlyurc7.php?user=foo&pass=**yeahright > HTTP/1.1" 200 - > > I was using skype on ubuntu, my Ian on the other end was using MAC OSX. It > took about 45mins until the hit came so they must be batched. (The gap > between the two requests is because I did some work on the web server as > the > SSL cert was expired and I didnt want that to prevent it working, nor > something more script like with cgi arguments as in the article). > > > Now are they just hoovering up the skype IMs via the new microsoft central > server architecture having back doored skype client to no longer have > end2end encrption (and feedind them through echelon or whatever) or is this > the client that is reading your IMs and sending selected things to the > mothership. > > btw their HEAD request was completely ineffective per the weak excuse > microsoft offered in the article at top my php contained a meta-refresh > which the head wont see as its in the html body. (Yes I confirmed via my > own localhost HTTP get as web dev environments are automatic in various > ways). > > > So there is adium4skype which allows you to use OTR with your skype > contacts > and using skype as the transport. Or one might be more inclined to drop > skype in protest. > > I think the spooks have been watching "Person of Interest" too much to > think > such things are cricket. How far does this go? Do people need to worry > about microsoft IIS web servers with SSL, exchange servers? > > You do have to wonder if apple backdoored their IM client, below the OTR, > or > silent circle, or the OS - I mean how far does this go? Jon Callas said > not > apple, that wouldnt be cool, and apple aims for coolness for users; maybe > he > should dig a little more. It seems to be getting to you cant trust > anything > without compiling it from source, and having a good PGP WoT network with > developers. A distro binary possibly isnt enough in such an environment. > > Adam > ______________________________**_________________ > cryptography mailing list > [email protected] > http://lists.randombit.net/**mailman/listinfo/cryptography<http://lists.randombit.net/mailman/listinfo/cryptography> >
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
