Some might say a little is better than nothing at all, but when it leads to a false sense of security, I’m going to call BS. Last month Apple confirmed that it would soon beef up encryption for iCloud email following a report detailing security flaws in major email services. While Apple previously encrypted emails sent between its own iCloud customers, now the company has enabled encryption for emails in transit between iCloud and third-party services for me.com and mac.com email addresses.
Hooray for encryption, but there’s just one problem: A translated report from Heise.de, which examined the new methods of encryption, notes that Apple is using the RC4 encryption algorithm that it claims leaves much to be desired in terms of possible eavesdropping. Security researchers have said RC4-128 (which is the version of RC4 Apple is believed to be using) is far weaker than AES-128.There has been allegation (unproven of course) that the NSA has broken RC4-128. So yea, I applaud Apple for keeping it’s word, but not so much on the corners it’s cut do get it done.