[messaging] encryption of Signal notification messages
Eric Mill
eric at konklone.com
Mon Feb 22 14:57:31 PST 2016
> Actually, Signal can encrypt everything end-to-end between you and your
partner.
While I haven't reviewed every line of the source myself, all of Signal's
stated guarantees and technical documentation have said that no, they
cannot do this. Messages are encrypted with keys generated locally, which
are never shared with OWS' server's, Apple's, or Google's.
Given everything I understand about Signal, Android, and iOS -- whether the
popup notification shows the text of the message or not has no bearing on
how the Signal message is sent through GCM, Apple APNS, or any other third
party like Amazon SNS.
-- Eric
On Mon, Feb 22, 2016 at 5:44 PM, Tony Arcieri <bascule at gmail.com> wrote:
> On Mon, Feb 22, 2016 at 2:38 PM, Nick Badger <nbadger1 at gmail.com> wrote:
>
>> Can anyone confirm that this is, in fact, the app's behavior, and that
>> it's not using the push server to call a local display or something? I'm
>> not hugely familiar with mobile deployment, and I've never used the push
>> servers. I know you could register a service on the phone, but I don't know
>> if the notification could tie into it. Regardless, it strikes me as odd
>> that a team as capable as Open Whisper would put such a large
>> not-end-to-end hole in an app whose explicit purpose (for many) is
>> end-to-end security.
>>
>
> I'm like 99% sure this is the case (as an early Signal user)
>
> When I first started using Signal, the push notifications always said "New
> Message"
>
> The messages are sent encrypted over push notifications.
>
> Repeat: (since I already posted this message and apparently people ignored
> me the first time) The messages are sent encrypted over push notifications.
>
> As far as I know, if the local user of the phone has their settings
> configured to do so, the encrypted push notifications are decrypted
> *locally* on the phone *before* display.
>
> Also in general as best as I have followed Signal development, the
> developers (primarily Frederic Jacobs) are extremely aware of these issues
> and doing a better job addressing them than any other iOS app available
> today.
>
> Also Signal is open source, so if you're really curious, read the source
> code yourself:
>
> https://github.com/WhisperSystems/Signal-iOS
>
> --
> Tony Arcieri
>
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
>
>
--
konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20160222/350b8762/attachment.html>
More information about the Messaging
mailing list