Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Encryption Google Communications

Google is Rolling Out End-To-End Encryption for RCS in Android Messages Beta (theverge.com) 77

After two long, complicated years, every Android user worldwide (outside China) now has access to the next-gen texting standard that is replacing SMS. Google is directly offering RCS chat services through its Android Messages app to anybody who installs it and uses it as their default texting app, which partly bypasses a carrier rollout that, at times, has ranged from sluggish to incoherent to broken. From a report Just as importantly, Google has announced that it's finally beginning to enable a key privacy feature: end-to-end encryption. For Android users who use Android Messages, one-on-one chats will eventually be end-to-end encrypted by default, meaning neither carriers nor Google will be able to read the content of those messages. Even though encryption is only beginning to roll out to people who sign up for the public beta for Android Messages, turning on encryption for RCS is a very big deal. It's a massive privacy win, as it could mean that the de facto replacement for SMS will, by default, be private on the smartphone platform used by the vast majority of people worldwide.

As for the people who use that other smartphone platform -- the iPhone -- we have no word on whether Apple intends to adopt the RCS standard. But as every carrier worldwide gets on board, and now that there is a clearer path to ensuring private communication with RCS, the pressure on Apple to participate is likely to build. Unfortunately, SMS becoming fully deprecated and replaced by RCS will only happen if all goes to plan for Google. Since initially announcing plans to transition to RCS as the primary texting platform for Android, the standard's rollout has been mired in confusion. In attempting to be neutral and make Android's texting a standard shared by carriers worldwide, Google set itself up with the job of herding multibillion-dollar cats -- with sadly predictable results.

This discussion has been archived. No new comments can be posted.

Google is Rolling Out End-To-End Encryption for RCS in Android Messages Beta

Comments Filter:
  • Why use RCS? The only advantage it has is that it allows carriers to bill for every message sent/received, and get access to your meta data (date, time, phone number).

    I still can't even send/receive an RCS message from an Internet-connected PC without having to somehow piggy back on a cell phone. Why such an arbitrary limitation? Why give power to cell phone carriers? Remember they own your phone number, not you. It should never be used as your main ID in a messaging application. Email address is much bette

    • Why use RCS? The only advantage it has is that it allows carriers to bill for every message sent/received, and get access to your meta data (date, time, phone number).

      That's no different than SMS. So what's your problem?

      • I have a problem with SMS too. SMS was fine in the 90's when people didn't have Internet on their phone. Should be considered death tech just like telegram and fax.

        • *dead tech sorry

          • Should be considered death tech just like telegram and fax.

            I'm okay with "death tech"; these were my preferred means of communication when I was spending a year dead for tax purposes.

        • Re:Why RCS? (Score:4, Insightful)

          by Anonymous Coward on Thursday November 19, 2020 @11:02AM (#60742882)

          Although in principle I agree with you ("SMS is dead tech"), keep in mind that SMS is still the "legacy" option, and the only option that really works and is available for all those people that refuse to have their lives controlled by evil megacorporations by using a non-free messaging app.

          It was already difficult enough to convince a critical mass of my family and friends to switch to Signal (which is, by the way, already a non-optimal solution but way better than Whatsapp/Telegram). If I meet a stranger and need to exchange a point of contact, the first approach is either e-mail or SMS. E-mail would be better of course, but it's not always socially acceptable as a first approach.

          Most importantly, SMS is the legacy option used for 2-factor authentication (2FA) that does not require to install a non-free and invasive mobile app. There are better alternatives (apps like FreeOTP and similar ones that use well-tested open protocols, or even better, hardware tokens) but they are not always supported by, e.g., your bank: they'd rather have you install their evil, closed-source, likely insecure, proprietary app. SMS from this point of view is the fallback choice (although I'm not sure how long it'll resist in this market). Clearly it is not as secure as the other options. A widely supported encrypted protocols for receiving SMS would give new life to this fallback option.

          Finally, remember that there are still large areas of the world where business is big but still using terribly outdated tech (Japan anyone?). Living without SMS in these places is just not possible yet.

          • Although in principle I agree with you ("SMS is dead tech"), keep in mind that SMS is still the "legacy" option, and the only option that really works and is available for all those people that refuse to have their lives controlled by evil megacorporations by using a non-free messaging app.

            I disagree. SMS is not free, and it is controlled by megacorporations (phone carriers).
            SMS doesn't work (or at least, not well) on a non-cellular, Internet-connected devices such as PCs and tablets.

            It was already difficult enough to convince a critical mass of my family and friends to switch to Signal (which is, by the way, already a non-optimal solution but way better than Whatsapp/Telegram). If I meet a stranger and need to exchange a point of contact, the first approach is either e-mail or SMS. E-mail would be better of course, but it's not always socially acceptable as a first approach.

            Why not?

            Most importantly, SMS is the legacy option used for 2-factor authentication (2FA) that does not require to install a non-free and invasive mobile app.

            Email could do that job even better.

            • I wonder what world you live in where asking someone to switch to your particular messaging app is easier/better/more acceptable than simply exchanging phone numbers.

              Email sometimes takes minutes to arrive, while SMS is always seconds. Email sucks donkey balls for 2FA

              • I'm not asking anyone to switch to my particular messaging app. Although it would be great if there was an open standard which won over, instead of the current mess. The sooner we stop relying on phone numbers as IDs, the sooner it will happen.
                Still, exchanging phone numbers is not perfect either. My main home phone number is VoIP. My work phone can't receive SMS either, plus you need to dial an extension.

                Your email provider suck if it takes minutes to arrive. Meanwhile, I just spoke with my carrier. To ren

                • by Bert64 ( 520050 )

                  Proper VOIP can work like email, user@sip.server.com etc. In practice it's very rarely used like this.

                • I'm not asking anyone to switch to my particular messaging app. Although it would be great if there was an open standard which won over, instead of the current mess. The sooner we stop relying on phone numbers as IDs, the sooner it will happen.

                  That would definitely be great. And that's why RCS is a step in the right direction, even if it's still tied to a phone number.

                  Your email provider suck if it takes minutes to arrive.

                  Internet congestion has zero to do with my mail server.

                  • That would definitely be great. And that's why RCS is a step in the right direction, even if it's still tied to a phone number.

                    How is RCS a step in the right direction? Why should we even give phone carriers a word to say in this? Should we also give them a word to say in video conferencing, web browsing and music streaming?

              • I wonder what world you live in where asking someone to switch to your particular messaging app is easier/better/more acceptable than simply exchanging phone numbers.

                So YOU are asking me to switch to YOUR particular messaging app/protocol, which is called SMS.

                • No, YOU are already using SMS. You might not like it, but it's there and it's universal, now.

                  • what makes you think I use legacy SMS?

                    • Cos you have a phone? I'm not a fan of SMS, no signal where I am, but it's still the default when you meet someone

                    • It's not because I have a phone that I use SMS. I never used the SMS client on my cell phone. I also have a voip landline/home phone.

                      Default or not, you are still asking people to switch to that protocol, no matter if they are using it or not.

              • by Bert64 ( 520050 )

                SMS should arrive in seconds, but international messages sometimes don't arrive at all or are massively delayed.
                SMS is also generally quite expensive, as operators want to bill you per message.

                • Not in most civilised countries. UK (semi civilised), unlimited SMS is a few quid a month

                  • which is very expensive for what you get (a few kB of transfer per month at most)

                    • Oh, you get some gigs of data for that too. That's what you pay for, unlimited SMS (and calls) is standard these days.

                    • It is only standard if you get a mobile phone plan. It doesn't come with any fixed home Internet plan I know.
                      Also it often doesn't come with data-only cell phone plans (aka tablet plans).
                      And pay per-use, or pay per outgoing plans still exist, at least in Canada. There is also sometimes a surcharge for international SMS.
                      For example with Fizz it's an extra $3/month to get outgoing SMS. With PetroCanada it's 15/SMS sent to USA/Canada and 35 internationally.
                      And I am not talking about roaming. This is when at ho

            • by zixxt ( 1547061 )

              I disagree. SMS is not free, and it is controlled by megacorporations (phone carriers).
              SMS doesn't work (or at least, not well) on a non-cellular, Internet-connected devices such as PCs and tablets.

              Say what? SMS is free! It's been free for most of the world for the past 10-15 years. When I did not have have cell phone service I used to SMS/MMS my friends everyday all just by using E-Mail. And I still use email to SMS/MMS back and forth whilst on my Desktop when I'm too lazy to hunt down my phone.

              • It's not free, you need to pay a phone carrier to use it. Sometimes it is included in the base plan, sometimes it isn't.
                SMS 2 email is not perfect, doesn't always work. It's not as if there was a universal, free, reliable email 2 sms gateway.

                I can't just write to numer@sms.com and expect to get a reply.

          • Re:Why RCS? (Score:4, Insightful)

            by weepinganus ( 767987 ) on Thursday November 19, 2020 @12:05PM (#60743134)
            I'll just leave this here...

            Obligatory XKCD [xkcd.com]

            • except it's false, SMS it's not supported by everyone.

              • Error: Statement not backed by observations. Parsing as empty.
                Error: Empty comment.

                • My non-cellular tablet doesn't support SMS.
                  My PC doesn't support SMS.
                  I can't send an SMS from my phone without a SIM card and a cellular network signal, even though I have a fast wifi internet connection.

                  Having a phone number is not enough. Most landlines, voip, don't support SMS either.

          • It was already difficult enough to convince a critical mass of my family and friends to switch to Signal (which is, by the way, already a non-optimal solution but way better than Whatsapp/Telegram).

            Signal is still total crap just like whatsapp and telegram. You can't even use it on a PC without also having an Android or iOS Phone. It still use a mobile phone number as ID.

      • That's no different than SMS. So what's your problem?

        That's the problem.

    • Agreed. RCS is clearly outdated. Git is much better :)
    • Re:Why RCS? (Score:4, Interesting)

      by PhrostyMcByte ( 589271 ) <phrosty@gmail.com> on Thursday November 19, 2020 @10:58AM (#60742872) Homepage

      If I had to guess, it is purely strategic.

      Apple has a private messaging system. Lock-in is their game and they have no reason to let Google interoperate with them.

      So Google works with the carriers to make a new standard, hoping the added weight of the carriers will turn the message from "interoperate with Google" to "why isn't Apple implementing this standard?"

      • Why does google need the carriers? They were doing just fine with google talk/hangouts until they started renaming it or killing it every year to launch a worse product.

      • it's because sms is used for 2fa on android phones but sms was never designed for this purpose so this has the dual purpose of helping android and making google accounts/services more secure.
        • No it's not. It's used for 2*1FA. Fake 2FA security theater.
          SMS really doesn't make it any more pointless. Like pissing in an ocean of piss.

    • All the better to log, track, and spy on you, my dear. Do you really believe that Google (or three-letter agencies with Google as their proxy) aren't being MitM and seeing all your messages sent through this service regardless of what they tell you? Google hasn't been trustworthy for quite some time now, why would anyone trust anything they have to say now?
    • Some phone carriers actually do away with that limitation. You still have to pay for a cell plan, but that's a good thing. A free service like email would generate email levels of spam.
      • I prefer email-level of spam (which is usually filtered) compared to sms-level of spam (lower, but unfiltered)

  • by Rosco P. Coltrane ( 209368 ) on Thursday November 19, 2020 @10:58AM (#60742874)

    So only Google can read all your message, none of those pesky men-in-the-middle.

    • Literally mentioned above:
      "meaning neither carriers nor Google will be able to read the content of those messages"
      • by jeromef ( 2726837 ) on Thursday November 19, 2020 @11:39AM (#60743042)
        Yeah but that's assuming the implementation is done properly, i.e., that the encryption keys remain known to the endpoints only. Since the application is developed by Google and will probably (?) be closed source, you can't be sure.
      • Google has the root keys.

        End of discussion.

        You better get that brain checked for Google viruses.

        • But Google *does* centrally manage those keys!

          Or is it because you seriously think "Google viruses" was meant literally? Like Time Cube Lizard People blah? :D
          Granted, on Slashdot, I'm not even surprised you might assume that. But no. Get your triggers checked. :)

    • by mark-t ( 151149 )
      So are you saying they are lying about it being end-to-end, or is it the case that do you not know what end-to-end actually means?
      • Just like Apple in iMessage, they could well have a backdoor you don't know about.

        • by mark-t ( 151149 )

          Again, you either don't know what end to end encryption means, or else they are lying about it being end-to-end in the first place.

          Let me clarify in case it's the former.

          End to end encryption means that when it is enabled, the messages that are sent are encrypted by a key that is created by the client's own personal device (and in particular, one that nobody else has any particular control over to force any generated encryption keys to be ones that may be computationally feasible to guess by a brute fo

          • Yes they could be lying then.
            I don't personally want end-to-end encryption. I prefer to be able to start a conversation on one device and continue it on the next. And be able to search in past messages afterwards.

          • It also doesn't mean that Google will be sending data back from the client. They can send an end-to-end encrypted message but still detect on the client that you have the word 'xbox' in your text and send back to the mother ship that you should be getting ads about microsoft products and xbox accessories.
            • It doesn't mean that Google won't* be sending data back from the client.
            • by mark-t ( 151149 )
              End to end rather explicitly says that there are exactly two ends. If a message or its metadata is also being sent to a third party, then that's a third end, and the message is not truly end-to-end encrypted.
              • I didn't say the message would be sent. I said they could still scan the message and send back aspects that they care about without breaking the encryption.
                • by mark-t ( 151149 )
                  Anything that they are "sending back" to any party other than the one they are communicating with constitutes a third end.
                  • Google probably wouldn't agree.
                    • by mark-t ( 151149 )

                      Well, as we've established previously, it's not at all inconceivable for companies to lie about what their technologies do.

                      If their encryption is truly end-to-end, Google cannot read it. If they can read it, it is not end-to-end, full stop.

                    • But they wouldn't consider it a lie so why would they feel the need to divulge anything?
                    • by mark-t ( 151149 )
                      So you are alleging that Google doesn't know what end-to-end encryption actually means?
                    • I'm alleging that if they can send back information without breaking end to end encryption technically, they'll be happy with that.
                    • Putting it another way. Companies do whatever they can to make money until someone prosecutes them for it. There is no "correct" way. To a corp the correct way is to make money.
                    • by mark-t ( 151149 )
                      "End-to-end" rather explicitly suggests that there are exactly two ends. If they "send back" information to anyone else, then that would be an additional end.
                    • Well are you going to explain that to them in court and win? Who will hold them to your definition?
                    • by mark-t ( 151149 )

                      You misunderstand my point if you think it has to do with who would win a legal battle.

                      Liars and con artists can win court cases. That doesn't mean they weren't wrong.

                    • If not the courts, who will tell Google that end to end encryption does not involve scanning messages in the client?
                    • by mark-t ( 151149 )
                      Again, what difference should that make? I am talking about what end-to-end encryption actually means, not what Google should or should not do.
          • Now... is it your assertion that Google is lying about it being end-to-end?

            No, simply that they could have, or be forced to include a backdoor in the client.

            They control the OS. It is end-to-end encrypted, so it can't be snooped or MITMed, but they control the 'end' so it doesn't matter.

            • by mark-t ( 151149 )

              A backdoor creates an additional endpoint for the data.

              "End-to-end" rather plainly suggests that are exactly two ends to the data transmission.

  • MITM-ready (Score:5, Interesting)

    by Meneth ( 872868 ) on Thursday November 19, 2020 @11:37AM (#60743030)
    Google is performing all the key management, which makes it easy for them to perform MITM attacks. Whitepaper. [gstatic.com]
    • They can already snoop on you through android and the play app without rcs. They're doing this because sms was never designed for 2fa and is not secure for it.
      • Sending a message for "2FA" is a stupid idea anyway. HOTP and TOTP are much better.

      • Nobody does actual 2FA anyway.

        No, having another app ask if you really want that, is not 2FA. Even if it is on another device.

        That's just twice the same factor.

        It's supposed to be two (or better, three) distinct factors.

  • Considering that they are behind the curve on this, and are slaves to US security, Apple will clearly oppose and attack this.

  • by ebh ( 116526 )

    Is RCS any less susceptible to SIM jacking attacks?

  • And it never will be.

    The point of Signal is that it is trustworthy.

    This here is still equivalent to SMS. No matter how much bloat or sketchy security you add to it.

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...