[messaging] encryption of Signal notification messages

Halil Kemal Taşkın haliko87 at gmail.com
Mon Feb 22 14:32:10 PST 2016


Besides your communication with your partner, there is another issue
here; the servers in the middle.
Actually, Signal can encrypt everything end-to-end between you and your partner.
Here interesting point is the push notification service. So, when you
write a message and touch the send button, application mainly does two
thing, one is to encrypt the message with the end-to-end encryption
protocol signal uses (as expected) and the other one is to send the
message itself (as a plaintext!) to the push servers (Apple APNS,
Google GCM and even (if used) 3rd party services like Amazon SNS) to
show the notification on your partner's screen. This actually damages
the end-to-end encryption fashion of the application.
And, even if you set your app to not to show the content in the
notification center, you dont guarantee that the plaintext text
version of your message is sent to the push servers.

Regards,
--
Halil Kemal TASKIN



2016-02-23 0:20 GMT+02:00 Nick Badger <nbadger1 at gmail.com>:
> +1 to Tony and Felix. From my perspective this is pretty cut and dry. You
> have no control over your conversation partner's tech configuration. If they
> choose to display your name and the content of the message in lock screen
> notifications, then that's their decision and there's nothing you can (or
> should be able to) do to change that. If you're worried about that being
> incriminating, and you don't trust them to avoid such plaintext
> notifications, then you've just implied you don't trust their opsec enough
> to communicate with them at all.
>
> Also as a reminder, Signal uses an open protocol. I could write my own
> client that publishes every message I receive onto my personal webpage.
> Either you trust someone enough to talk to them, or you don't!
>
>
> Nick Badger
> https://www.ethyr.net
> https://www.muterra.io
> http://www.nickbadger.com
> PGP fingerprint 37B9 22FC 2E47 50AA E06B 9CEC FB65 8930 46F0 333A, listed at
> MIT and PGP
>
> On Mon, Feb 22, 2016 at 2:13 PM, Chris Johnson <captain.slim at gmail.com>
> wrote:
>>
>> > How do you ensure your communication partner locks its phone?
>>
>> Good point, though I think it's a reasonably safe bet that someone who
>> uses Signal to communicate locks his phone.
>>
>>
>> On Mon, Feb 22, 2016 at 5:09 PM Felix Eckhofer <felix at tribut.de> wrote:
>>>
>>> Hey.
>>>
>>> Am 22.02.2016 23:00, schrieb Chris Johnson:
>>> > that. I'd like to know that when I send someone a message, only he can
>>> > read
>>> > it, but when messages might be pushed to the lock screen of a locked
>>> > phone,
>>>
>>> How do you ensure your communication partner locks its phone?
>>>
>>>
>>> felix
>>> _______________________________________________
>>> Messaging mailing list
>>> Messaging at moderncrypto.org
>>> https://moderncrypto.org/mailman/listinfo/messaging
>>
>>
>> _______________________________________________
>> Messaging mailing list
>> Messaging at moderncrypto.org
>> https://moderncrypto.org/mailman/listinfo/messaging
>>
>
>
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
>


More information about the Messaging mailing list