- From: floatingstone <notifications@github.com>
- Date: Mon, 17 Jul 2017 03:05:38 -0700
- To: w3c/push-api <push-api@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 17 July 2017 10:06:04 UTC
**1. Should all of the subscribe requests's applicationServerKey be stored in the push service database?** When we subscribe a user, we pass in an applicationServerKey. This key is passed to the push service. Many forgery subscribe requests with different applicationServerKey can cause the push service to be attacked. **2. VAPID replay attacks.** The authentication scheme of the VAPID is vulnerable to replay attacks if an attacker can acquire a valid JWT. So besides the "exp" value, what else can we do to reduce this risk? **3. When application server wants to push encrypted messages:** a) Does the push service need to check whether the request body has been replaced or not? b) Or just pass the encrypted messages to target subscriber? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/push-api/issues/278
Received on Monday, 17 July 2017 10:06:04 UTC