paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-02 13:03:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: Clarify push notification service privacy model.

Browse Source 
This just makes what was already said there a lot more explicit.
This commit is contained in:
Tim Abbott
2019-03-21 16:30:19 -07:00
parent 3da06fecd5
commit 0d04724da6
1 changed files with 33 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
docs/production/mobile-push-notifications.md
View File

@@ -104,11 +104,37 @@ and privacy in mind:
* A central design goal of the the Push Notification Service is to
avoid any message content being stored or logged by the service,
even in error cases. We store only the necessary metadata for
delivering the notifications. This includes the tokens needed to
push notifications to the devices, and user ID numbers generated by
your Zulip server. These user ID numbers are are opaque to the Push
Notification Service, since it has no other data about those users.
even in error cases.
* The Push Notification Service only stores the necessary metadata for
delivering the notifications to the appropriate devices, and nothing
else:
* The APNS/FCM tokens needed to securely send mobile push
notifications to iOS and Android devices, one per device
registered to be notified by your Zulip server.
* User ID numbers generated by your Zulip server, needed to route
a given notification to the appropriate set of mobile devices.
These user ID numbers are are opaque to the Push Notification
Service and Kandra Labs.
* The Push Notification Service receives (but does not store) the
contents of individual mobile push notifications:
* The numeric message ID generated by your Zulip server.
* Metadata on the message's sender (name and avatar URL).
* Metadata on the message's recipient (stream name + ID, topic,
private message recipients, etc.).
* A timestamp.
* The message's content.
There's a `PUSH_NOTIFICATION_REDACT_CONTENT` setting available to
disable any message content being sent via the push notification
bouncer (i.e. message content will be replaced with
`***REDACTED***`). Note that this setting makes push notifications
significantly less usable.
We plan to
[replace that setting with end-to-end encryption](https://github.com/zulip/zulip/issues/6954)
which would eliminate that usability tradeoff and additionally allow
us to not have any access to the other details mentioned in this
section.
* All of the network requests (both from Zulip servers to the Push
Notification Service and from the Push Notification Service to the
relevant Google and Apple services) are encrypted over the wire with
@@ -118,14 +144,6 @@ and privacy in mind:
[Zulip server project on GitHub](https://github.com/zulip/zulip).
* The push notification forwarding servers are professionally managed
by a small team of security expert engineers.
* If you'd like an extra layer of protection, there's a
`PUSH_NOTIFICATION_REDACT_CONTENT` setting available to disable any
message content being sent via the push notification bouncer
(i.e. message content will be replaced with `***REDACTED***`). Note
that this setting makes push notifications significantly less
usable. We plan to
[replace this feature with end-to-end encryption](https://github.com/zulip/zulip/issues/6954)
which would eliminate that usability tradeoff.
If you have any questions about the security model, contact
support@zulipchat.com.
@@ -174,7 +192,7 @@ the Zulip mobile apps (and there's nothing the Zulip team can do to
eliminate this onerous requirement).
The main work is distributing your own copies of the Zulip mobile apps
configured to use APNS/GCM keys that you generate. This is not for
configured to use APNS/FCM keys that you generate. This is not for
the faint of heart! If you haven't done this before, be warned that
one can easily spend hundreds of dollars (on things like a DUNS number
registration) and a week struggling through the hoops Apple requires
@@ -187,7 +205,7 @@ the app stores yourself.
If you've done that work, the Zulip server configuration for sending
push notifications through the new app is quite straightforward:
* Create a
[GCM push notifications](https://developers.google.com/cloud-messaging/android/client)
[FCM push notifications](https://developers.google.com/cloud-messaging/android/client)
key in the Google Developer console and set `android_gcm_api_key` in
`/etc/zulip/zulip-secrets.conf` to that key.
* Register for a