With even email clients and web browsers running arbitrary and untrusted remote code on a regular basis, that model needs serious reconsideration.
This xkcd shouldn’t still be insightful. https://xkcd.com/1200/
With even email clients and web browsers running arbitrary and untrusted remote code on a regular basis, that model needs serious reconsideration.
This xkcd shouldn’t still be insightful. https://xkcd.com/1200/
E2EE is not part of the standard and only exists as a proprietary Google extension, using Google’s servers. Implying that implementing RCS would get everyone cross-platform E2EE is misinformation.
RCS, as adopted by GSMA , is zero encryption text messaging. RCS with encryption is a proprietary Google product and relies on Google servers.
On my phone, so links may come later. It’s hard to find solid documentation on it, since their encryption extension is proprietary, but it’s been referenced as being based on the Signal Protocol. The Signal Protocol, or every implementation of it that I’ve seen, uses a central “trusted” repository of public keys to tell message originators query to encrypt the message to. For Signal, and I assume Google RCS, that central repository is Google. The protocol doesn’t allow for federation, so any system that is interoperable with Google RCS will rely on Google as the trusted authority.
The private key part I’m much less sure of, since both the Signal and Google RCS clients are closed source. Signal makes you jump through hoops to add a new client, involving one of your currently installed clients. This suggests that Signal isn’t in possession of your private keys. On the other hand, all you need to set up a new Google client is your account password. This suggests that either your keys are held by Google (perhaps encrypted by your account password) or that new keys can be added without needing explicit involvement from current keys.
Of course this is all speculation because the implementations aren’t available for inspection.
So is this going to be standard RCS, which has no encryption and the telcos need to support, or the Googlified version that does E2E encryption but requires storing keys on Google’s servers?
RCS has interoperability issues itself and Google hasn’t been making the situation better.
Yes. I’m a man of few words.
But they’re also having to fight for more limited funding among a crowd of chatbot “researchers”. The funding agencies are enamored with LLMs right now.