Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Thanks for your great work creating this protocol. Hope more app developers add support for it, especially for privacy focused apps like Signal which by relying on Google servers are leaking metadata.


Regarding Signal, I don't think they have been approached yet... https://github.com/UnifiedPush/wishlist/issues/8

I think the consensus was that we wanted to wait for UnifiedPush to be more mature before approaching them, but it's probably about time. S1m made an interesting implementation for the (compatible) Signal fork Molly: https://github.com/mollyim/mollyim-android/pull/152

The implementation is quite interesting: it adds a linked device that does not receive encryption keys, but sends push notifications to the client.


If you deliver notifications, you are always leaking metadata around timing.

A police unit parked outside a guy’s house and confirmed it was him in the real time chatroom, by cutting his internet and seeing him drop off.

If you want real anonymity on the Internet, never use push notifications. Always “pick up your mail” periodically from random endpoints on the Web.


In theory, if you were worried about this, I think you could get around that problem by just constantly send fixed sized encrypted messages large enough to hold any potential notifications. When a notification needs to get sent, you add it to the next outgoing encrypted message. Of course, now the delay for notifications is now coupled to the rate of these messages being sent.


The messages can still be traced to the client picking them up. Cut their networking and the client doesn’t receive the messages anymore… this shows up as a bounced message.

You can accumulate encrypted messages at random urls instead


If nobody in the chat room can know that you lost connectivity, that means you can't do real time chat and might as well use email instead.

Note that a similar thing happens with any two-way conversation; if an immediate reply is expected and there's no reply, it's not a conversation anymore. (For more possible reasons, though.)

Disappearances can't have good error messages if you want plausible deniability. This will make any UI much less user-friendly.


I guess I initially misunderstood what you meant by timing, but that makes sense.


This would be an interesting protocol. Almost like spread spectrum or frequency hopping in the radio space.

Have many servers who just accumulate encrypted packets and then only the host knows how to reassemble them in order and decrypt.

Could probably be somewhat realtime if executed correctly.


Simply use free Usenet Servers via Tor and post your anonymous* PGP messages to the Usenet group alt.anonymous.messages.

*You send PGP encrypted messages via Mixmaster Remailers (via Tor) and preferably use a hashed subject (hsub) so that the intended receiver(s) can filter out their messages.

https://lists.gnupg.org/pipermail/gnupg-users/2019-March/061...


> A police unit parked outside a guy’s house and confirmed it was him in the real time chatroom, by cutting his internet and seeing him drop off.

I guess I'm going off of too few details probably, but this doesn't seem like a very sound strategy to me. It's certainly not impossible that the real criminal lost internet around the same time as some suspect's was cut by the police. I know I've shown up as online to other people for up to several minutes after losing internet in real-time situations (e.g. games). I suppose police just need "reasonably likely" to take action though, not definite reasons.


More than that, the criminal could have been a neighbour piggybacking on his WiFi.


The team has been working to get UP support added to Molly, a fork of Signal for Android.

https://molly.im/

https://github.com/mollyim/mollyim-android/pull/152




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: