This is the first good news on the security front I've heard in a long time. Google is adding end-to-end encryption to its Android Messages app
Google is working to replace/upgrade SMS with Rich Communication Services, or RCS, and part of RCS is secure, end-to-end encryption for messaging.
The end-to-end encryption will roll out to beta testers beginning this month and continue into next year, the company said, and eligible conversations will automatically upgrade to the new level of security, although this encryption will only be available when both people in the conversation have Messages installed and chat features on.
The big news in that paragraph is that if both parties have the new version of messaging installed, security will be automatically upgraded. No action will be required on the part of user, because if anything has been proved beyond a reasonable doubt is that if people have to take ANY action for the sake of security, they will not do it. Because "security is hard" even when it isn't.
It will probably take some time for all the "other" messaging apps - like Verizon message, and I'm guessing Samsung has their own messaging app - will implement RCS. And I would not be surprised if Apple NEVER makes it possible (without Signal or some other app) to have E2EE message security between iOS and Android. (Android is NOT part of the Walled Garden™!)
Hat tip to Steve Gibson and Security Now Episode 794.
Google's rollout is expected to continue into next year and the best news of all is that Google wisely chose not to roll their own solution. Yay!! End-to-end encryption has been added to the “solved problems” list, thus no need to do it again. Google has adopted the very well-designed and already time-tested Signal protocol.
You can find more information at the following PDF from Google. Messages End-to-End Encryption Overview. And you can find the video of Security Now Episode 794 at this link.
I was tempted to file this under the Infrastructure label. Encryption is what makes stuff like online shopping and online banking work at all. Which is why it is scheduled in the Sunday afternoon Infrastructure spot.
Any word on if it's really end to middle to end - so that Google can continue to monitor everything about users and sell it to the highest bidder?
ReplyDeleteWe'll probably have to see if some white hats publish that in the coming weeks.
They claim to be implementing the Signal Protocols developed by hacker Moxie Marlinespike (Not his birth-name). If so, that is completely end-to-end encryption.
DeletePersonally I use Signal whenever I can. Not often enough because friends are "that's too hard." The reality is you have to install an app. Signal even supports completely encrypted phone calls.
I don't have the pull of Captain Crunch, (John Draper) who will ONLY communicate securely.
I am sure the hackers will pull it apart when it arrives.
Google seems to have a split personality on spying on users. Part of the company still embraces "Don't Be Evil" and part of the company is all down with the Great Firewall of China and acting like Big Brother. (I know, they're not acting.)