Updated Whisper Push Notifications (markdown)
Victor Farazdagi
parent
ed423d073b
commit
1b1fc61d7a
|
|
@ -372,4 +372,21 @@ statusd --datadir app2 --http --httpport 8745 wnode # as Device B
|
|||
statusd --datadir wnode2 wnode --notify --password asdfasdf --injectaccounts=false --firebaseauth=XXX # as notification server, you need to setup your app with FCM and use your own authorization key
|
||||
```
|
||||
|
||||
If you run that page in gist, you should see sth like this:
|
||||
|
||||
|
||||
|
||||
# Important Questions (with answers!)
|
||||
|
||||
### Question: If Discovery Protocol's SymKey is publicly known, what will happen if some attacker just forks `status-go` repo, and responds to discovery request?
|
||||
|
||||
It is crucial to understand what might be exposed:
|
||||
- clients' public keys
|
||||
- clients' device IDs
|
||||
- some extra info which you pass in notifications
|
||||
|
||||
So, public keys exposure shouldn't be a huge problem. When it comes to device IDs, can attacker use them to send unwanted/spam notifications? Well, since those device IDs were generated for a given FCM app, they are useless to attacker unless authorization key to that app is known (and it isn't). Finally, to make sure we do not over-expose ourselves, make sure that you do not include too much of internal information in notifications - then even if attacker can get those, not much will be gained (although, we must warn users that by enabling notifications they potentially enable 3rd party to track the fact of communication - **not the content of it of course**)
|
||||
|
||||
|
||||
|
||||
# Limitations
|
||||
Loading…
Reference in New Issue