Many IM clients let you send a message that refers to or quotes another message. Often, such responses are displayed with the original message included as a quotation.
For example, in BBM Enterprise for Windows and macOS displays a quoted message like this:
The top bubble contains the original message from Bob and the bottom bubble contains my reply. Above the line, you can see my new reply to Bob, "No problem. We can wait." Below the line you can see a copy of Bob's message that I am referring to along with some metadata about that original message, such as the fact that it was from Bob and sent at 11:58 AM. This feature is especially useful in group chats with many participants, especially if a few overlapping threads of conversation are taking place. You can respond to someone else's question or react to their remark while also indicating precisely what you're reacting to. When you are catching up on several newly arrived messages after a meeting or a lunch break, quoting also helps you respond to older messages in context while keeping your new responses front and center as new chat messages. It's a very useful feature.
Even though it seems to conceptually simple, there's a possible security concern lurking in this feature.
Did they really say that?
Consider how an IM app might implement such a feature. One way would be for my endpoint to make a copy of Bob's name and text and include it in my message alongside my text. Endpoints that receive my message, such as Bob's and those of other participants in the chat, would find both strings in my message and display them both.
Unfortunately, that naive implementation gives the people reading my quotation the visual impression that Bob said what I claimed he said. With this simplistic mechanism, the text drawn in the bottom bubble is actually text that my endpoint added to the chat and that I claim is what Bob said. Even when my message is cryptographically signed in a way that the other participants can verify that it came from me, that verification can't also prove that Bob said, "I can't approve that purchase order yet." just because my message attributed it to him. This is consequence of the decision to copy an unsigned version of Bob's original message. If my endpoint was rogue, I could provide alternative text to make it appear that Bob said something other than what was in his original message. Especially in a group chat, this would compromise the trust that the participants have in the content and allow me to put words in Bob's mouth. For example, imagine if I claimed that Bob had actually granted approval and used that to fool Carol:
Presuming that Bob's original message did come with a signature (as it does in BBM Enterprise), it's worth noting that we can't use his original signature with an excerpt of his message. The signature should be proving the integrity of the entire protocol message that Bob sent to us, including implementation detail metadata and other fields that were used to convey more than just the actual human-readable part of his message. There's not really a simple or automated way for Bob to verify and re-sign just the part of his message that my endpoint would need to include when I quote him. The IM app could include a complete copy of Bob's original signed message in my quote, and that would probably work, but it's wasteful because the other chat participants should receive the original anyway.
BBM Enterprise implements quotations using the Chat Message References that is also offered by BlackBerry Spark Communications Services. Instead of sending a copy of Bob's message, my BBM Enterprise endpoint sends a reference to Bob's message.
Each message in a BBM Enterprise chat has a unique message ID that is known by all participants. When I send my message quoting Bob, my endpoint finds the message ID associated with Bob's message and includes that in my protocol message. My endpoint doesn't need to include Bob's text, his name, or other metadata such as the timestamp in the protocol message that carries my quote. That information can be extracted from the original message that the message ID refers to, with the benefit that every receiver has already verified that information against the original sender's signature. Now, when BBM Enterprise displays my message quoting Bob, the text and metadata shown for Bob's message are taken directly from Bob's original, verified message that the displaying endpoint already trusts. There's no need for others to "take my word for it" that Bob said what I claim. They know what he said, and they display their own trusted version of it.
Another benefit of this approach is that I am indicating precisely which message I am referring to. If Bob said the same (or similar) things multiple times in the history of this chat, my quote refers to precisely one of those messages. BBM Enterprise uses this information to let you tap or click on the quoted message in the quoting bubble in order to be taken to the quoted message. This make it easier to follow along and understand my message in context.
If Bob edits his original message to correct a mistake, BBM Enterprise will display the updated message in place of the original, along with a pencil icon to indicate that the message has been edited by the author. For example, he might edit his message to indicate that it was really the finance department that hasn't approved the order yet:
Because my quote is based on a reference to Bob's original message, BBM Enterprise updates my quote to refer to his edited message. In fact, if Bob's message is quoted many times, even by different participants, all of those quoting messages are updated.
This means that Bob can perform an edit after I quote him, and he could change the meaning of his message to try to alter the meaning of my quote:
But Bob isn't likely to be successful in this attempt at deception for a few reasons. BBM Enterprise shows the pencil icon even in my quotation of him, thereby indicating to the user that the quoted message has experienced an edit. All participants of the chat see this, so everyone can tell what's happened. I also can see this and react. The most fundamental difference, though, is that even if Bob plays the trickster here, neither of us is making an unverifiable claim about what the other said. If Bob edits his message to say, "Your vacation for the year has been cancelled.", then he really did say that, even if it is nonsense. Whether I quoted it or not, a message editing feature, by design, allows participants to revise what was said before.
BBM Enterprise is secure by design, not only in its use of cryptography but also in the details of its features and user interface. Care is taken to make sure that your messages are kept secure and private at every layer of the application. You don't have to question quotations or any other messages in your BBM Enterprise chats.
Find out more about BBM Enterprise, including how to get a free trial of it for your organization or as an individual.
About Brad Spencer
Brad is a code-writing software architect who designs and builds secure communications systems at BlackBerry, including BBM Enterprise. In previous roles, he has worked on scalable server software in pioneering Internet telephony systems.