Encryption Challenges of Messaging Interoperability Debated

Encryption challenges of messaging interoperability are discussed by security experts, following the European Union’s decision to make cross-platform messaging capabilities a legal requirement.

There was a lot of debate about whether or not to include messaging interoperability in the Digital Markets Act (DMA), and the challenges of maintaining end-to-end encryption was one of the issues. keys…

context

We have previously summarized the context of this problem:

Messaging interoperability is the idea that instant messaging should be like email. We can each use our favorite service and application, while still being able to communicate with each other.

So I could use Telegram, and you could receive it in WhatsApp. Your mom can send you a Facebook message and you can receive it in iMessage. Like email, we would send the message to the personnot the service […]

The EU has long been working on massive antitrust legislation known as the Digital Markets Act (DMA). The main objectives of the proposed law are to ensure that technology startups can enter the market without their growth being inhibited by dominant players, and that consumers can benefit from the fruits of this competition – the best services at the lowest prices. low .

There have been many internal debates about the appropriate scope of the legislation and, in particular, whether messaging interoperability requirements should be included. Some objected on the grounds that it would be a nightmare to implement.

I argued that while messaging interoperability would indeed be a nightmare for tech giants to implement, it would be a dream for consumers. Most of the talk, however, has focused on the nightmarish part.

Messaging Interoperability Encryption Challenges

There are many different ways to implement end-to-end encryption, and different email platforms have opted for different privacy solutions. But even when two services have chosen to use the exact same encryption technique, they will still end up with different keys for communication between the same individuals, meaning you can’t just transfer an E2E encrypted message from one to another: much more work is needed.

The edge reports on the various concerns expressed by security experts. One is the need for couriers to make major changes to their respective approaches.

Steven Bellovin, renowned internet security researcher and professor of computer science at Columbia University, said, “Trying to reconcile two different cryptographic architectures is simply impossible; one side or the other will have to make major changes. A design that only works when both parties are online will be very different from one that works with stored messages…. How do you make these two systems interoperate? »

He argues that this could mean removing features to achieve a lowest common denominator between services.

A second issue is that a security vulnerability in one messaging platform could effectively expose them all to the same exploits. In this regard, each service should trust the user identity verification method of all other services.

“How do you tell your phone who you want to talk to, and how does the phone find that person?” said Alex Stamos, director of the Stanford Internet Observatory and former chief security officer at Facebook. “There is no way to allow end-to-end encryption without trusting each vendor to handle identity management…If the goal is for all email systems to treat users others in exactly the same way, then it’s a privacy and security nightmare.”

Potential Solutions

However, open-source nonprofit E2E Matrix says there are ways to fix these issues.

Unsurprisingly, every platform adopting Matrix’s own open-source solution is one of them. Using open source code would have the advantage of allowing any security researcher to verify the integrity of the encryption system used. Even WhatsApp chief Will Cathart – who has been highly critical of the call for messaging interoperability – acknowledges this possibility.

Another would be to decrypt and re-encrypt along the way – which would normally completely compromise the entire basis of E2E encryption – but do it on the user’s own machines.

Your laptop or phone effectively maintains a connection to iMessage or WhatsApp or whatever as if it were connected… but then relays the messages back into Matrix once re-encrypted.

This does not introduce additional risk, as an end user with a compromised machine may already be exposing messages.

The bottom line

Ultimately, security experts agree on two things:

  • Enabling messaging interoperability without compromising E2E encryption is possible
  • It is very difficult and it would take a lot of work

This second point means that it will not happen anytime soon, and the EU is aware of this. The deadline for offering it is expected to be much later than the deadlines for complying with other requirements of the Digital Markets Act.

Photo: Camilo Jiménez/Unsplash

FTC: We use revenue-generating automatic affiliate links. Continued.


Check out 9to5Mac on YouTube for more Apple news:

Comments are closed.