Apple to Add Manual Authentication to iMessage
Signal has had the ability to manually authenticate another account for years. iMessage is getting it:
The feature is called Contact Key Verification, and it does just what its name says: it lets you add a manual verification step in an iMessage conversation to confirm that the other person is who their device says they are. (SMS conversations lack any reliable method for verification—sorry, green-bubble friends.) Instead of relying on Apple to verify the other person’s identity using information stored securely on Apple’s servers, you and the other party read a short verification code to each other, either in person or on a phone call. Once you’ve validated the conversation, your devices maintain a chain of trust in which neither you nor the other person has given any private encryption information to each other or Apple. If anything changes in the encryption keys each of you verified, the Messages app will notice and provide an alert or warning.
Fazal Majid • November 22, 2023 9:39 AM
What difference does it make, when the threat model features Apple itself prominently? By acceding to the principle that the iMessage client will scan photos for CSAM prior to uploading them to iCloud, even if they later reversed that decision, Apple has forfeited any trust in their end to end encryption claims.