Add webpush headers, fake encryption for now #35
Conversation
|
|
|
For curiosity: Is it for real use? With which server/service? Faking security doesn't sound like a good idea to me. Would it be an option to change the server so that it doesn't always enforce encrypted payload? |
|
Sunup uses mozilla's webpush server which enforce encryption. It will be advertised as the goto distributor, since it doesn't need any user login, nor to change any setting, the default server doesn't have rate limits and it follows the last specifications. So, this is a workaround for a real use, until notifications are properly encrypted (following webpush specs) |
|
I still think it's a security issue to mark non-encrypted data as encrypted. Let's assume the service is hacked and data leaks – then they can and will say "we made sure that all data is encrypted". If however DAVx5 or Nextcloud had marked unencrypted data as encrypted, DAVx5 or this extension will then rightly be blamed for the data leak. If it's that important, we should implement encryption instead. Or is there anything I have missed? |
|
I agree, and this is definitely a workaround until encryption is properly setup. But there 2 things to keep in mind:
So, I think this is OK to do the hack as a first step for a transparent transition to the encrypted notifications |
Plus the sync token. Hopefully servers won't use sensitive information for the topic or sync-token.
Good point. I suggest that we also add the hint that it marks unencrypted data as encrypted into the README, directly after the sentence above. |
|
It makes sense, I've pushed a change for the README |
This is a first step for #32