To back up such a obvious agency planted 'report' one site even includes a purported 'unclassified' Intelligent Report describing how the DEA were unable to obtain decrypted messages between iMessage users dated Feb. 21, 2013. What makes that very suspicious to me is that with the Bush and now Obama White House, declassifying Intelligence Briefs takes many years, sometimes decades pass after a solution or mitigation has been applied.[2][7]
The readers should be mature enough to understand that in today's times a major provider indicating a serious DEA-FBI security lapse is a open invitation for that article,news brief or website-webpage to be immediately deleted in real time and results in a rapid disappearance if it were publicly published.
It didn't take long for me to determine the special sauce in the iMessage encryption was simply standard SSL/TLS using RSA 2048 public keys. If a browser still supports weak and broken encryption modes for its SSL operations (nearly all do unless YOU manually remove them) it is possible the weakest encryption mode which is likely broken (RC4 for example) is going to be deployed in your SSL session. A really useful primer on fine tuning the Firefox browser's SSL strength complete with the necessary steps you could apply to other browsers is found here. [3]
Apple just as Microsoft's former IM server STORES ALL USERS MESSAGES IN PLAIN TEXT on their server. 2048 bit RSA public keys are not in my opinion going to be strong enough to protect business secrets and many have/are moving to 4096 RSA public keys as a result. All major providers appear to have been pressed into full warrentless 'cooperation' in my opinion who would not present any obstruction to Apple users 'plain text' stored on the Apple iMessage Server per a DEA or FBI,NSA,CIA request.
In My Opinion and Conclusion:
The articles appear to be a deliberate effort to steer individuals into a false sense of security to use iMessage IM. While it does appear iMessage uses end-end encryption, as pointed out the SSL mode can be weak and the public key size isn't considered strong now and the users IM messages along with their Apple account information is recorded in plain text allegedly on the Apple iMessage IM servers. Apple's privacy policy clearly states that the iPhone maker may give information about its customers to law enforcement when "reasonably necessary or appropriate" or to "comply with legal process."
References:However, iMessage still should not be used to send sensitive information. All data so far indicates that the messages are stored in plaintext in Apple’s servers. This presents several vulnerabilities. Apple or anyone able to compromise Apple’s servers would be able to read your messages – for as long as their cached.[6]
Treat iMessage as you would emails or SMS communications. It is safe enough for daily usage, but highly sensitive information should not be sent through it.
[1] Apple’s iMessage Encryption Too Tough for FBI http://www.macobserver.com/tmo/article/ ... gh-for-fbi
[2] Apple's iMessage encryption trips up feds' surveillance http://news.cnet.com/8301-13578_3-57577 ... veillance/
[3] Calomel SSL Validation https://calomel.org/firefox_ssl_validation.html
[4] Just How Secure is Apple's iMessage? Even the DEA Can't Crack It http://www.maclife.com/article/news/jus ... t_crack_it
[5] IMessage https://imfreedom.org/wiki/IMessage
[6] QOTW #34 – iMessage – what security features are present? http://security.blogoverflow.com/2012/0 ... e-present/
[7] DEA Intelligence Declassified Note http://i.i.com.com/cnwk.1d/i/tim/2013/0 ... 10x479.png
