Why is unified push so popular?

pixelfairy

Why is unified push so popular? Contacting the server directly is more reliable. The extra battery drain is minimal. With UP you're either running your own server, meaning your phone keeps pinging something you control and revealing it. Or pinging something someone else controls, making one more entity that can track you.

Very few apps support background sync.

n3t_admin

pixelfairy Contacting the server directly is more reliable. The extra battery drain is minimal.

Now, see when you have multiple apps using it, the battery drain decreases with each additional one. Sadly, there's just a very small amount of apps that do support UP. I'd debate reliability; I'd say it's the same - not more.

pixelfairy With UP you're either running your own server, meaning your phone keeps pinging something you control and revealing it. Or pinging something someone else controls, making one more entity that can track you.

I don't see how that is possible.

pixelfairy Very few apps support background sync.

Especially Molly can make use of UP when database encryption at rest is enabled. The app would have no way to contact the WebSocket in that state, so UP is a welcome addition.

mmobder

pixelfairy . The extra battery drain is minimal

It's such a false statement. SimpleX is eating the battery as hell if you enable regular/frequent updates of msgs

Delaney

pixelfairy Why is unified push so popular?

Because some people want to use an alternative to Google's push notification system.

pixelfairy

n3t_admin I don't see how that is possible.

Whoever is spying on your local network, or your vpn provider can see you contacting the UP server your hosting. If interested, can then check that out, possibly revealing your identity.

A public one can see which client is using the same set of services like a fingerprint and follow that around.

In both cases, you might be able to tell nfty to use tor.

With background sync, the local network or vpn provider can see what services your using, but thats it. No more than if your not using UP.

pixelfairy

mmobder I've never used Simplex. The apps I based this on are Molly and Fairemail.

GrapheneOS

pixelfairy Molly uses Signal's WebSocket push if you don't have UnifiedPush or FCM for it instead. Signal's WebSocket push is quite inefficient, although not as bad as it used to be. It's nowhere near as efficient as a properly optimized push implementation though. Combine that with having multiple similarly inefficient implementations and that's a lot of extra power usage. People often set things up that way, then blame the OS for the poor battery life.

n3t_admin

pixelfairy Whoever is spying on your local network

If someone is spying on my local network, the least of my concerns is going to be UP. It's gonna be: how to get them the fuck out of my network.

pixelfairy or your vpn provider can see you contacting the UP server your hosting

They don't know what type of server it is. HTTPS exists for a reason.

pixelfairy If interested, can then check that out, possibly revealing your identity.

What can they "check out" exactly? How are they going to reveal an identity this way?

pixelfairy A public one can see which client is using the same set of services like a fingerprint and follow that around

Exactly like any other web service.

pixelfairy the local network

the "local network" is not an entity. It's a software defined concept, that is usually based on the premise of private IP address ranges (10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16).

pixelfairy vpn provider can see what services your using

That depends on how obfuscated your domains are. This would most likely require DPI, which is unpractical on a big ISP scale.

pixelfairy Whoever is running the service your personal UP server is connected to will see a single users UP traffic going to that ip address.

Like every other web service. I don't understand what you are hinting at here.

pixelfairy

Wont let me edit the above. Whoever is running the service your personal UP server is connected to will see a single users UP traffic going to that ip address.

Bismark

n3t_admin
dns on port 53 is not encrypted. Your ISP can see the traffic that comes from your router but does not know what device behind your router. When your data 4G or whatever turned on in your phone, your phone ISP knows.

Even if you use something to encrypt dns like dnscrypt or the many other options, its easy to look up domain names tied to ip address if you monitor web traffic. Here is where I say something controversial, a lot of consumers are buying routers at the store, I call them consumer grade routers. They are selling them with fancy kind word- similar to antivirus for your PC but features only something that protects you. A big sticker on the box, some fancy GUI thing. Well whats going on is they are monitoring where you go "for your safety" but the small fine print is they are making money selling that data. This was a while back, and I think the EU laws may have put a stop to most of that, I am not going to name the company doing it, but that is how you may have a spy inside your network!

do it yourself router and a separate AP for the win

n3t_admin

Bismark none of this makes any sense. DNS is completely unrelated here. Cryptic domain names are very common, where nobody knows what they mean.

Bismark Your ISP can see the traffic that comes from your router but does not know what device behind your router. When your data 4G or whatever turned on in your phone, your phone ISP knows.

You probably think they can see more than they do. All they see is basically IP addresses - none of the content (unless it's unencrypted HTTP).

xxx

GrapheneOS Signal's WebSocket push is quite inefficient

That's so true. Molly or Signal eats the battery without a push service.

Bismark

n3t_admin
I was referring to NAT as to why your isp does not know what device behind your router is asking for the ip of a domain. Thought it was related to a post on push services being used to kind of fingerprint a device.

I would just use a vpn or get all push services loaded into 1, I assume that is what unified push is? I am using just the one from nextcloud installation for a couple months now, and don't really care because my email is imap and is always connected anyways. So I have 2 active connections and dns lookup/querys in the open on port 53. If I didnt want to be tracked, I think public vpn is only way to go, or switch email to pop, and have it check once a day maybe, go without instant notifications on some things?

chinook

n3t_admin

You probably think they can see more than they do. All they see is basically IP addresses - none of the content (unless it's unencrypted HTTP).

DOH, ECH have been designed exactly because SNI is visible (unencrypted), so the connection attempt was leaking the server name twice.

Thankfully Chrome/Firefox/Edge (not sure about Safari) all seem to have at least ECH enabled, so unless your organisation disabled it via policy, it should no longer be a concern, at least with the services that either use major CDNs or use TLS 1.3 exclusively.

n3t_admin

chinook how is SNI relevant in this situation? If I (self)host UP (let's say ntfy), what is SNI going to give a possible adversary?

So let's say my ntfy base domain is b79c66077e27a1c100292a6aa5da291cfa7da7ef982a7d0d2708be38d76b31f.us-east-1.prod.service.minerva.devices.a2z.com (this is a real domain used by Amazon btw) - how are you now going to figure that the service running behind this domain is ntfy? Considering I have a reverse proxy and a wildcard certificate, I just did a quick pcap in Wireshark and I don't see any identifiers when I curl -d my ntfy instance.

Now you could argue that you can curl the base domain and find out what is running that way - but then again, I just enabled SSL auth in my reverse proxy - so good luck curling that domain now.

Maybe I'm missing something here (I'm not a layer 7 expert by any means), I'm just intrigued.

chinook

n3t_admin I don't understand your response. I literally quoted the part of your post I responded to?

You probably think they can see more than they do. All they see is basically IP addresses - none of the content (unless it's unencrypted HTTP).

I commented on the "You probably think they can see more than they do." - they can, DNS (if you don't use DOH/DOT) and the actual hostname, unless the browser defaults to ECH and domain supports it.

In this specific example you give above it doesn't matter too much. I literally just commented on the false assumption someone could make by reading it, that the HTTPS alone is enough for the traffic to be unintelligible to whoever is monitoring the traffic - that doesn't necessary is a "bad cop", it's usually just a carrier/ISP.

n3t_admin

chinook by "content" I meant anything above layer 4 (maybe I'm hitting my language barrier here). You don't even need to sniff SNI in many cases, since a good chunk of domains can be PTR'ed to correlate traffic.

But yes, they can see hostnames if ECH (or similar) isn't utilized.

chinook

n3t_admin oh, yeah, ok, I understand you now. Thx.