UK government demanding access to encrypted iCloud
-
[email protected]replied to [email protected] last edited by
Here’s hoping Apple sticks to their guns and pulls adp instead of caving.
In case you didn’t see it a few weeks ago, 3.3 million servers are doing unencrypted transport.
The way email delivery is handled also means you’re not safe just because you aren’t talking to those servers.
-
[email protected]replied to [email protected] last edited by
They're not anonymous, contrary to common perception. They're encrypted, but they know things like your IP address and which IP addresses you're communicating with, even if they don't know the content of your messages. Some of them explicitly state as much.
Depending on the local laws of the company or servers, they might be compelled to share whatever data they do have, which could be enough info to assist law enforcement in making an arrest, even if they can't see the message itself.
If you want anonymous email use, you have to use a logless VPN at a minimum every time you access a third party encrypted email service. That way neither side of the email exchange can tie your IP address to you.
-
[email protected]replied to [email protected] last edited by
Crypto instructions have been standard in CPUs for decades now. I don't know about mobile CPUs specifically, but the AES instructions have been around since 2008.
-
[email protected]replied to [email protected] last edited by
Of course, I only meant that unlike Gmail and such services like proton don’t actively impede your anonymity and build a profile on you as far as we know.
-
[email protected]replied to [email protected] last edited by
Proton does require you to have a dedicated phone number to sign up though, like that was my main thing that swayed me away from making a protonmail account was when I went to sign up I was met with a phone number requirement and I'm like "oh well this isn't going to be helpful"
-
[email protected]replied to [email protected] last edited by
I think I got in before they started doing that.
Actually I don’t think they require that. I just set up a new proton account on a device with a fresh wipe from a vpn endpoint I never used before and they offered to record a phone number or recovery email but didn’t require it.
-
[email protected]replied to [email protected] last edited by
Can you tell me which endpoint that you used? Cuz I just tried using a VPN endpoint from Switzerland Sweden and Ukraine and all three of them brought up a requirement to have a verification email
-
[email protected]replied to [email protected] last edited by
Secure? Idk, maybe. But definitely not private.
-
[email protected]replied to [email protected] last edited by
Mullvad us Denver 205.
I’m also using their encrypted dns though that shouldn’t matter. Recording an email might be a regulatory requirement of the intelligence sharing treaties of the eu and broader eurozone.
Try an endpoint outside of the western world and see what happens!
-
[email protected]replied to [email protected] last edited by
Wow, thank you for this! But it looks like IMAP and POP, not server-to-server. And how would one of these severs compromise security if not one of the end points?
-
[email protected]replied to [email protected] last edited by
Yeah weirdly enough it ended up being a browser issue, Firefox wasn't able to use anything but email verification but Chrome was able to offer a captcha in place of it
-
[email protected]replied to [email protected] last edited by
Yeah but phones have had a problem where using the main chip for encryption would basically use all the battery. For a while Apple was the only one who didn’t have this issue because they included dedicated chips to handle the encryption. So they were even able to jump in to the “whole phone encryption” by default. While android phones had to leave it as a checkbox in settings that would eat your battery.
I just don’t remember if google ever got around to addressing the issue.
-
[email protected]replied to [email protected] last edited by
In 2026 good old steganographic messages, like in North Corea
-
[email protected]replied to [email protected] last edited by
I've always Android phones with encryption enabled, since about 2014, and I've never noticed any issue, nor had I heard about this before.
-
[email protected]replied to [email protected] last edited by
Op: read about pgp/gpg. Do it now. When you don’t understand something ask questions about it instead of giving up.
While that's usable for files, they cannot use it for the app backups and conta ts and such that the system creates on iCloud
-
[email protected]replied to [email protected] last edited by
SMTP is only encrypted if the second server responds correctly to the first servers starttls.
The striptls type of attack, which prevents the servers from getting a valid starttls exchange, was in use over a decade ago by some telcom against its own customers.
Even if you know the person you’re emailing has a correctly configured client you can’t control a man in the middle attack between servers which has been in widespread use for years.
-
[email protected]replied to [email protected] last edited by
Yeah people affected by this would have to turn on adp (iCloud recovery key) and be vigilant about how precisely Apple chooses to remove that feature assuming the uk government doesn’t back down.
Worst case scenario you’d need to be doing local backups and have iCloud turned off.
Metadata is a bigger worry at that point though.
-
[email protected]replied to [email protected] last edited by
This is not true. You may be thinking of the Secure Enclave, which Apple processors have had for a while and acts as a dedicated piece of silicon to protect encryption keys. But pixels have this too, idk about phones with Qualcomm or exynos SOCs but they likely have something similar. Either way it has no impact on battery life and all major smartphones have been capable of encryption for many years
