Privacy @lemmy.ml Kalcifer @sh.itjust.works 1 day ago

Can a Unified Push push server see/read notifications?

By "push server" I mean something like Ntfy.sh.

Cross-posts

https://sh.itjust.works/post/27577324

14 comments

I think a lot of comments have missed that ntfy.sh does not use UnifiedPush, the ntfy server is a UnifiedPush provider and the ntfy app is a UnifiedPush distributor.
I still want to know if MQTT already did this & UnifiedPush is just a startup trying to reimplement the same concept
- IMHO UnifiedPush is just a poor re-implementation of WebPush which is an open and distributed standard that supports (and in the browser requires, so support is universal) E2EE.
  
  UnifiedPush would be better as a framework for WebPush providers and a client API. But use the same protocol and backends as WebPush (as how to get a WebPush endpoint is defined as a JS API in browsers, would would need to be adapted).
  
  Sounds like you need a browser tho. UnifiedPush & MQTT work without a browser with WebPush support.
Yes, I believe all the messages are in plain text, and it's up to the server not to log it.

It is possible to e2ee the message content yourself tho.

Edit: it looks like ntfy.sh specifically keeps messages cached in memory for a few hours befor discarding them. https://docs.ntfy.sh/config/
Regarding encryption of the push message, from https://unifiedpush.org/developers/spec/android/ :

Push message: This is an array of bytes (ByteArray) sent by the application server to the push server. The distributor sends this message to the end user application. It MUST be the raw POST data received by the push server (or the rewrite proxy if present). The message MUST be an encrypted content that follows RFC8291. Its size is between 1 and 4096 bytes (inclusive).
Yes, they can read the data. But apps like Molly (Signal Fork) send encrypted notifications. So, the time and some other metadata may be read by the server, but the content and contact won't be visible in plain text.
- For Signal/Molly, it's less that the notification is encrypted as I understand it. It's more the notification content is just "Hey! Stuff happened" for Signal. The app then reaches out directly to the Signal servers to see what's new. So the message content is never sent via the push notification service (UnifiedPush or Google's service).
  
  Oh yes. Like, I selfhost both, ntfy and MollySocket. I am sure MollySocket does encrypt the data.
I never used it, but I would assume yes after reading the frontpage and the doc. At no point there is a PSK set between sender and reciever, not I see any signs for key exchange between devices.

This is not a definitive answer though as I didn't read the source code of Nfty, nor the UnifiedPush spec.

You've viewed 14 comments.