From b33d80707cad87dd881c12a9ac6efe741f646594 Mon Sep 17 00:00:00 2001 From: Tim Abbott Date: Thu, 19 Oct 2017 18:15:48 -0700 Subject: [PATCH] docs: Document push notification redacting setting. --- docs/prod-mobile-push-notifications.md | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/docs/prod-mobile-push-notifications.md b/docs/prod-mobile-push-notifications.md index c10a5d4442..2eb91bc716 100644 --- a/docs/prod-mobile-push-notifications.md +++ b/docs/prod-mobile-push-notifications.md @@ -75,8 +75,8 @@ forwarding service). ## Security and privacy implications -We've designed this push notification bouncer service with security in -mind: +We've designed this push notification bouncer service with security +and privacy in mind: * All of the network requests (both from Zulip servers to the Push Notification Service and from the Push Notification Service to the @@ -85,10 +85,17 @@ mind: * The code for the push notification forwarding service is 100% open source and available as part of the [Zulip server project on GitHub](https://github.com/zulip/zulip). - The service's logging is designed to protect the privacy of users of - Zulip servers that are using the forwarding service. + The Push Notification Service is designed to avoid any message + content being stored or logged, even in error cases. * The push notification forwarding servers are professionally managed - by a small team. + by a small team of security experts. +* There's a `PUSH_NOTIFICATION_REDACT_CONTENT` setting available to + disable any message content being sent via the push notification + bouncer (i.e. message content will be replaced with + `***REDACTED***`). Note that this setting makes push notifications + significantly less usable. We plan to + [replace this feature with end-to-end encryption](https://github.com/zulip/zulip/issues/6954) + which would eliminate that usability tradeoff. If you have any questions about the security model, contact support@zulipchat.com.