Hacker News new | past | comments | ask | show | jobs | submit login

I believe my article on Hacks (https://hacks.mozilla.org/2016/01/web-push-arrives-in-firefo...), linked from the marketing article, answers all of those questions at a high level and points to docs with more detail.

In short, there's a single, persistent websocket connection between you and a broker service run by your browser vendor. Each subscription has a unique, anonymous URL on that service that gets provided to the website. To prevent abuse, there are throttles / quotas / limits imposed on push messages that do not show user-visible notifications.

The source to Mozilla's broker, autopush, is at https://github.com/mozilla-services/autopush. We recently rewrote it from Go into Python, which we now run with PyPy in production.




> We recently rewrote it from Go into Python

I am used to porting things the other direction; can I ask why you moved to Python for this service?


Ben Bangert has given a presentation about this that was discussed here: https://news.ycombinator.com/item?id=10402307

The above links to the slides only, here is a video of the talk: https://www.youtube.com/watch?v=_F2peRzJzhU


>> I'm curious of privacy implications.

> a broker service run by your browser vendor

That means that Mozilla, as an example of a browser vendor, knows anything any site which uses that feature wants to notify me, including mails and messages from those sites?


All data brokered by the service must be encrypted to a keypair whose private key is held only by the end user's browser, using the scheme described in the webpush-encryption IETF draft spec at https://tools.ietf.org/html/draft-ietf-webpush-encryption-01


Thanks for all your comments!

I wonder about metadata, though. While Mozilla doesn't know the contents of messages, it's still generally well aware of who (sender IP) is sending messages to whom (receiver IP) - is that correct?

(I suppose this can be somewhat mitigated by running private self-hosted autopush instance and replacing dom.push.serverURL)


Like the sibling comment, I'm also interested in learning about your switch.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: