Hey Halil, I think you are severely mistaken in what you claim here. On what are you basing these statements? As far as I know, the notifications are (at least on some platforms) ONLY used to trigger the local app to fetch the end-to-end encrypted message from the whispersystems server [0]. Maybe someone else can pitch in. This would mean, that the push service does not even get to see the *encrypted* message, much less a plaintext version of it.
If I am actually mistaken here, please enlighten me with a source for the things you write. Best regards, Raphael [0] Moxie has said so in the thread "Re: [whispersystems] Using WebPush rather than the Google Services" in the whispersystems mailing list on December 4th, 2015: Nothing is in the push contents, it's just an empty notification to initiate a connection. On 02/22/2016 11:32 PM, Halil Kemal Taşkın wrote: > Besides your communication with your partner, there is another issue > here; the servers in the middle. > Actually, Signal can encrypt everything end-to-end between you and your > partner. > Here interesting point is the push notification service. So, when you > write a message and touch the send button, application mainly does two > thing, one is to encrypt the message with the end-to-end encryption > protocol signal uses (as expected) and the other one is to send the > message itself (as a plaintext!) to the push servers (Apple APNS, > Google GCM and even (if used) 3rd party services like Amazon SNS) to > show the notification on your partner's screen. This actually damages > the end-to-end encryption fashion of the application. > And, even if you set your app to not to show the content in the > notification center, you dont guarantee that the plaintext text > version of your message is sent to the push servers. > > Regards, > -- > Halil Kemal TASKIN > > _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
