Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Push support via UnifiedPush #90

Closed
darkdragon-001 opened this issue Jan 9, 2023 · 5 comments
Closed

Push support via UnifiedPush #90

darkdragon-001 opened this issue Jan 9, 2023 · 5 comments

Comments

@darkdragon-001
Copy link

darkdragon-001 commented Jan 9, 2023
edited
Loading

Would this library be the right place to implement push support via UnifiedPush specification (for Whisperfish, Axolotl, ...)?

Blocked by UnifiedPush/wishlist#8
@gferon
Copy link
Collaborator

gferon commented Jan 11, 2023

Well, whisperfish uses its own back end implementation for libsignal-service-rs. I know of a few other that use this project, and AFAIK Axolotl will (or is?) using presage already (@nanu-c correct me if I'm wrong.)

I believe we could give this a shot as an optional feature in here?

@Schmiddiii
Copy link
Contributor

As far as I understood UnifiedPush, for any Signal-clients to support it there must first be support on the Signal servers (see also the video in the getting-started section of UnifiedPush, it always also shows a server interacting with UnifiedPush). As this is currently not implemented (at least as far as I know), this is impossible for any Signal clients (even the official ones).

Related issue in Flare: https://gitlab.com/Schmiddiii/flare/-/issues/36.

@nanu-c
Copy link
Contributor

nanu-c commented Jan 11, 2023
edited
Loading

Actually it's possible via a bridge: https://github.com/MollySocket/mollysocket and it's security implications

About security

Relative to Signal security

MollySocket receives the credentials for a linked device and does not receive any encryption key. Which means:

    Someone with access to MollySocket database can't change the identity key, to impersonate users. See [setKeys](https://github.com/signalapp/Signal-Server/blob/v8.67.0/service/src/main/java/org/whispersystems/textsecuregcm/controllers/KeysController.java#L111).
    Someone with access to MollySocket database may be able to use the credentials of linked devices to spam the Signal server and hit the rate limits. I haven't checked if this would temporarily block the account or just the linked device. (Availability risk)
    Someone with access to MollySocket database may be able to change some account field in a destructive way. For instance changing the account Name to something random. The cleartext will be random since these field are encrypted and require encryption keys to be properly encrypted.

@gferon
Copy link
Collaborator

gferon commented Apr 19, 2023

Closing since this is not really we can implement only on the client-side.

@gferon gferon closed this as completed Apr 19, 2023
@darkdragon-001
Copy link
Author

@gferon can't we just use the Molly bridge in the client?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@darkdragon-001 @nanu-c @gferon @Schmiddiii