
Apple claim that iCloud can store passwords “only locally” seems to be false - coloneltcb
http://arstechnica.com/information-technology/2013/10/apple-claim-that-icloud-can-store-passwords-only-locally-seems-to-be-false/
======
jamesrom
Apple does not claim that passwords are only stored locally. Apple claims that
your keychain data is only stored locally. This article does nothing to prove
that Apple's claim is false.

Apple is saying that your keychain isn't stored by Apple, but only the
information required to sync all approved clients.

------
tlrobinson
_" During this step, both the iPad and the Mac had to be connected to the
Internet simultaneously."_

I suspect this step sets up encryption keys between the 2 devices so that
Apple's servers can be used to transfer and temporarily buffer encrypted sync
messages without being able to recover the plaintext data.

Since these keys aren't known by the user (or Apple) there's no way to recover
your keychain (and no point in storing the data permanently... if the devices
are lost so are the keys)

I wish they would explain it in more detail for those of us who care, but I
don't think this proves they're lying.

------
jeza
The four digit pin isn't to be confused with the passphrase that is used to
encrypt/decrypt the keychain data. The pin is just an extra measure on top of
your iCloud password to release your keychain data, along with SMS
confirmation. A longer password or no password won't stop a government agency
from being able to obtain the encrypted keychain data.

I just confirmed that the encryption key is different from the PIN by going
into keychain and viewing a password in the iCloud chain. It is indeed my much
longer pass phrase that decrypts the data.

------
codex
What does "stored" mean? Does it mean "temporarily buffered?" If so, most
networking technologies meet that criteria, and iCloud might too if it merely
buffers in RAM. Does it mean "unreadable in cleartext" by Apple? Possibly, but
this test doesn't answer that question.

------
unreal37
The currently only comment in the OP seems most likely. All devices get each
other's public key, and encrypt messages to each other using it. The keychain
itself passes encrypted.

------
ROFISH
I wonder if the wording is wonky, but the meaning is technically correct: Not
the data itself, but rather key management. The first two methods, 4-digit or
complex password, will store a password-encoded key on iCloud. The second
"don't create a security code" will not store a password-encoded key on
iCloud. The key will instead be transferred via LAN, thus why it needs
approval from another local device that has it.

This is just a hypothesis, I wonder if it's true?

~~~
mjhall
I don't think the transfer occurs explicitly via LAN as other commenters point
out, seems more likely Apple acts as a tunnel between the device requesting
the keychain and the device authorising (sending) it.

------
baldfat
I have a strong bias against Apple and this is my number one complaint
dishonesty to customers. who cares hardly anyone. I love the no viruses and no
malware with power PC chip was faster than Intel x86 chips.

~~~
jamesrom
When has Apple ever been dishonest to customers?

~~~
brymaster
[http://www.apple.com/pr/library/2010/07/02Letter-from-
Apple-...](http://www.apple.com/pr/library/2010/07/02Letter-from-Apple-
Regarding-iPhone-4.html)

> "We have discovered the cause of this dramatic drop in bars, and it is both
> simple and surprising."

> "Upon investigation, we were stunned to find that the formula we use to
> calculate how many bars of signal strength to display is totally wrong. Our
> formula, in many instances, mistakenly displays 2 more bars than it should
> for a given signal strength. For example, we sometimes display 4 bars when
> we should be displaying as few as 2 bars."

People were actually meant to believe that Apple had a software bug for how
they calculate signal strength all the way up to the 4th iPhone and instead
not scratching AT&T's back making their network look better than it was.

You know, _this_ Apple with the futuristic wireless testing facility:
[http://www.engadget.com/2010/07/16/inside-apples-black-
lab-w...](http://www.engadget.com/2010/07/16/inside-apples-black-lab-wireless-
testing-facilities/)

~~~
jamesrom
So your proof that Apple is dishonest is a letter from Apple being candidly
honest about their mistakes?

------
tuananh
They still have to use some sort of buffering/transferring the key in order to
sync; as long as they dont' store the keys permanently on iCloud, it's fine.

