Web Push Security: Revoke Endpoints and VAPID keys


Has anyone investigated the following situation?
If an application server get compromised and the attackers get the data
associated to web push, what is the suggested approach to revoke all the
subscriptions? The main reason to revoke everything would be to prevent the
attacker from sending notifications to the user as if it was the legitimate
Also, it would be nice if the standard could provide a way to replace the
subscriptions without loosing the subscribers.


Received on Thursday, 20 December 2018 10:17:12 UTC