this post was submitted on 04 Nov 2024
41 points (100.0% liked)

Privacy

32631 readers
464 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

By "push server" I mean something like Ntfy.sh.


Cross-posts

you are viewing a single comment's thread
view the rest of the comments
[–] rcbrk@lemmy.ml 2 points 2 months ago (1 children)

Regarding encryption of the push message, from https://unifiedpush.org/developers/spec/android/ :

Push message: This is an array of bytes (ByteArray) sent by the application server to the push server. The distributor sends this message to the end user application. It MUST be the raw POST data received by the push server (or the rewrite proxy if present). The message MUST be an encrypted content that follows RFC8291. Its size is between 1 and 4096 bytes (inclusive).

[–] Kalcifer@sh.itjust.works 1 points 1 month ago (1 children)

What's interesting, and is confusing me about this, is that Ntfy does not adhere to this [1]. I'm not sure how this can be.

References

  1. "End-to-end encryption (E2E) between clients (Android app, CLI, web app)". binwiederhier. ntfy/binwiederhier. GitHub. Published: 2021-12-29T02:07:36Z. Accessed: 2024-11-22T05:04Z. https://github.com/binwiederhier/ntfy/issues/69.
[–] rcbrk@lemmy.ml 1 points 1 month ago (1 children)

It doesn't matter. Even if the ntfy message was plaintext, that plaintext content would be a UnifiedPush "Push message" which is the RFC8291-encrypted raw POST data.

[–] Kalcifer@sh.itjust.works 1 points 1 month ago* (last edited 1 month ago) (1 children)

So, for example, if one were to register Unified Push notifications with Matrix using Ntfy, the creation of the encrypted Unified Push notifications would be done by the Matrix Unified Push Gateway which then gets handed off to Ntfy? Is there a way to confirm that the received notification is indeed encrypted?

[–] rcbrk@lemmy.ml 1 points 1 month ago (1 children)

You could have a look at the messages ntfy is passing around using its trace function: https://docs.ntfy.sh/troubleshooting/

[–] Kalcifer@sh.itjust.works 1 points 1 month ago (1 children)

I enabled logging in the Ntfy app, and, upon receiving a message in Element X, it showed the Matrix notification push message in plain text in the logs. If Ntfy indeed doesn't know anything about Unified Push and is just the medium through which a Unified Push message travels, then I would think that it wouldn't be the service decrypting the message, yet it is decrypted in the logs.

[–] rcbrk@lemmy.ml 2 points 1 month ago (1 children)

Yeah, I was doing some more reading and I think it might only be the newest version of the UnifiedPush spec which requires the message to be encrypted.

I noticed that the examples given on https://codeberg.org/iNPUTmice/up/src/branch/master/README.md are unencrypted.

[–] Kalcifer@sh.itjust.works 1 points 1 month ago

Yeah, I was doing some more reading and I think it might only be the newest version of the UnifiedPush spec which requires the message to be encrypted.

The question I would then have is: Who would be responsible for updating their system to support this (ie the Unified Push encryption)? Say if we, for example, look at Matrix. Would Matrix need to modify their notification API? Would the Matrix gateway in Ntfy need to be modified? Would some other component of Ntfy be modified? Would the distributor app need to be modified? Would the end-user application need to be modified?