Public
- Public
- Network
- Groups
- Featured
- Popular
- People

Conversation

Notices

Embed this notice
UnifiedPush (unifiedpush@fosstodon.org)'s status on Tuesday, 12-Dec-2023 08:37:48 JST UnifiedPush

Unidentified governments are surveilling smartphone users via their apps' push notifications, a U.S. senator warned : https://www.reuters.com/technology/cybersecurity/governments-spying-apple-google-users-through-push-notifications-us-senator-2023-12-06/
That's why it's important to offer your users alternatives.
#PushNotifications
In conversation Tuesday, 12-Dec-2023 08:37:48 JST from fosstodon.org permalink
Attachments
1. Untitled attachment
- Haelwenn /элвэн/ :triskell: likes this.
- Embed this notice
  Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Tuesday, 12-Dec-2023 08:48:56 JST Haelwenn /элвэн/ :triskell:
  in reply to
  - Rich Felker
  @dalias @unifiedpush Well regardless of content encryption or lack of content, the linked article is about metadata, which has long been the problematic part.
  
  In conversation Tuesday, 12-Dec-2023 08:48:56 JST permalink
- Embed this notice
  Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 12-Dec-2023 08:48:57 JST Rich Felker
  in reply to
  
  @unifiedpush Shouldn't the protocol mandate encrypting notifications or even disallow any payload in the notification, instead forcing it to be nothing but a wake-up ping?
  
  In conversation Tuesday, 12-Dec-2023 08:48:57 JST permalink
  
  clacke likes this.
- Embed this notice
  UnifiedPush (unifiedpush@fosstodon.org)'s status on Tuesday, 12-Dec-2023 08:48:58 JST UnifiedPush
  in reply to
  
  In addition, we strongly advise developers to encrypt their push notifications, recommending #WebPush [*] or to adopt a sync-on-push strategy (which is what Signal does).
  [*] Follow RFC8291, forget about the old draft protocol abandoned 7 years ago!
  
  In conversation Tuesday, 12-Dec-2023 08:48:58 JST permalink
- Embed this notice
  Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Tuesday, 12-Dec-2023 08:57:28 JST Haelwenn /элвэн/ :triskell:
  in reply to
  - Rich Felker
  @dalias @unifiedpush Except it works the other way around, which is why it can be used for de-anonymisation.
  
  In conversation Tuesday, 12-Dec-2023 08:57:28 JST permalink
- Embed this notice
  Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 12-Dec-2023 08:57:30 JST Rich Felker
  in reply to
  - Haelwenn /элвэн/ :triskell:
  @lanodan @unifiedpush "App x sent a ping to check for new notifications" isn't terribly sensitive metadata.
  
  In conversation Tuesday, 12-Dec-2023 08:57:30 JST permalink
- Embed this notice
  Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 12-Dec-2023 09:03:23 JST Rich Felker
  in reply to
  - Haelwenn /элвэн/ :triskell:
  @lanodan @unifiedpush Sorry I was unclear on usage of word "app". I meant "service provider associated with app x sent a ping that app x needs to wake up and query it for possible new notifications". That's the safe reasonable way to do notifications and the way Signal does them.
  
  In conversation Tuesday, 12-Dec-2023 09:03:23 JST permalink
  
  Haelwenn /элвэн/ :triskell: and clacke like this.
- Embed this notice
  Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Tuesday, 12-Dec-2023 09:20:39 JST Haelwenn /элвэн/ :triskell:
  in reply to
  - Rich Felker
  @dalias @unifiedpush Yeah a simple wake-up ping like that would be probably the safest method, specially if you avoid sending a ping at every message.
  
  In conversation Tuesday, 12-Dec-2023 09:20:39 JST permalink

Public

Conversation

Notices

Feeds