[messaging] encryption of Signal notification messages

Raphael Arias arias at in.tum.de
Mon Feb 22 15:02:30 PST 2016


Hey Halil,

I think you are severely mistaken in what you claim here. On what are
you basing these statements?
As far as I know, the notifications are (at least on some platforms)
ONLY used to trigger the local app to fetch the end-to-end encrypted
message from the whispersystems server [0]. Maybe someone else can pitch
in. This would mean, that the push service does not even get to see the
*encrypted* message, much less a plaintext version of it.

If I am actually mistaken here, please enlighten me with a source for
the things you write.

Best regards,
Raphael

[0] Moxie has said so in the thread "Re: [whispersystems] Using WebPush
rather than the Google Services" in the whispersystems mailing list on
December 4th, 2015:

Nothing is in the push contents, it's just an empty notification to
initiate a connection.

On 02/22/2016 11:32 PM, Halil Kemal Taşkın wrote:
> Besides your communication with your partner, there is another issue
> here; the servers in the middle.
> Actually, Signal can encrypt everything end-to-end between you and your partner.
> Here interesting point is the push notification service. So, when you
> write a message and touch the send button, application mainly does two
> thing, one is to encrypt the message with the end-to-end encryption
> protocol signal uses (as expected) and the other one is to send the
> message itself (as a plaintext!) to the push servers (Apple APNS,
> Google GCM and even (if used) 3rd party services like Amazon SNS) to
> show the notification on your partner's screen. This actually damages
> the end-to-end encryption fashion of the application.
> And, even if you set your app to not to show the content in the
> notification center, you dont guarantee that the plaintext text
> version of your message is sent to the push servers.
> 
> Regards,
> --
> Halil Kemal TASKIN
> 
> 


More information about the Messaging mailing list