Comment by SergeAx
17 hours ago
Probably stupid question: why won't they e2e-encrypt push notifications too? The vector is obvious and has been open since forever.
17 hours ago
Probably stupid question: why won't they e2e-encrypt push notifications too? The vector is obvious and has been open since forever.
Signal does not send any sensitive information in push notifications sent via APNs [0]. This story concerns the local OS cache of push notifications, which are triggered after E2E decryption has occurred.
[0] https://mastodon.world/@Mer__edith/111563865413484025
The "e" in e2e encryption is a computing device, not the device's user's brain.
Right. So I send a push notification with the "silent" flag and encrypted content; the app receives it, decrypts the text, and displays the notification locally. Google/Apple has only ciphertext in their FBI/CIA/NSA-accessible databases.
I'm confused. You mean the iOS system notification would display the decrypted message in plaintext? Or do you mean the iOS system notification would display the encrypted message (i.e. it would be unreadable)?
4 replies →