[Webpush] bad application servers
Martin Thomson <martin.thomson@gmail.com> Thu, 07 April 2016 19:44 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 675F812D149
for <webpush@ietfa.amsl.com>; Thu, 7 Apr 2016 12:44:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7,
SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id kDqDsA0S8xt1 for <webpush@ietfa.amsl.com>;
Thu, 7 Apr 2016 12:44:23 -0700 (PDT)
Received: from mail-io0-x229.google.com (mail-io0-x229.google.com
[IPv6:2607:f8b0:4001:c06::229])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id D4ACF12D157
for <webpush@ietf.org>; Thu, 7 Apr 2016 12:44:22 -0700 (PDT)
Received: by mail-io0-x229.google.com with SMTP id o126so84370475iod.0
for <webpush@ietf.org>; Thu, 07 Apr 2016 12:44:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=mime-version:date:message-id:subject:from:to;
bh=lGV201AtHCpdD1MiUJY0+Gb4uBB69oukAU9Z+L3wMfA=;
b=MAHsx2bdk/wlWAgWAL2xeKuNBAbcPq2aMcW4AUXbEjV5GvS3Km5xeC4P2r88JWpXzp
38QlXdpBxpb465Lir0a0wgWHPo29D+f+qwQJU1l7wpi9yMxDsCm4cSEDbgb4wShoBN/d
mR0XzG0+QzwP6S//xv387OMRPtMd8a8xFF0LXzegizAiuM7wChmSvhP72x6km9Vghxy4
kpLudk+jmha7n3KbL1FUhPT28uI8k22s9Ki9525Gz8a4kXTjVQib/CR8ar2Vfna1EzuZ
sdMmPhhkIZZ/xfAtPev25j5IGa3D6LjFOG+vgRLfe+QRlWhS3RTxs4Nxeuxf2i1JLM6F
kTQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:mime-version:date:message-id:subject:from:to;
bh=lGV201AtHCpdD1MiUJY0+Gb4uBB69oukAU9Z+L3wMfA=;
b=k/jbuw0YvNUwqH38IqLbSnS182alqF5NTrX6pNvsM6UaqBnJZe44L8CbFyLe7kXNLG
IIxr+MnrTnDrauY1gCJ+a+XCe/JvH0ivMJHkW0+iFUUEJziKeEPz1CTPF0wv1Lv6rcCV
Ds81JVGCZXBdxqVEF4UDc7Xt1I7H6FILufYVntV94m8+rO00YYv+uRSI9oCzTwcKIYMA
Ow5k+Saw8gKXxYjG2LmbmnsX5BsgA/dZ/bXheGqLeGNKzC/tr3Nf9la7OorPFjoxlGbj
eZPDZz0mIp6m/QyaT3o4sycCQEvHGvnFfjzmF1rTnU7j3jh9tX6Fojp1CwhPQmmGGg7Y
Jytg==
X-Gm-Message-State: AD7BkJKMBeHKaC1b+C5eyvT9u0iPC7A9uJw95GDdLdFp4F2iCKqWkibjaOut0r+sAfBT4YyyJlxR8KvTrEkHWQ==
MIME-Version: 1.0
X-Received: by 10.107.166.72 with SMTP id p69mr5392171ioe.100.1460058262253;
Thu, 07 Apr 2016 12:44:22 -0700 (PDT)
Received: by 10.36.43.5 with HTTP; Thu, 7 Apr 2016 12:44:22 -0700 (PDT)
Date: Thu, 7 Apr 2016 16:44:22 -0300
Message-ID: <CABkgnnWmF6BCjXJWg5a0K902Cj-MDpd+XGeAyV0qhs+nosXvzQ@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: "webpush@ietf.org" <webpush@ietf.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/webpush/_HYEOjKjJxMVCNbyQia4GtVCg6s>
Subject: [Webpush] bad application servers
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol
<webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>,
<mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>,
<mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2016 19:44:24 -0000
Darshak asked about bad application servers in relation to setting urgency too high. This is a DoS attack and can be remedied by removing a subscription. A user agent also has the option of doing this if it sees that there are many unwanted messages being delivered. This is something that we do in Firefox already. We detect that messages are unwanted by virtue of the fact that the user isn't visiting the site. An intermediate alternative suggests itself. If we are able to segregate subscriptions into multiple subscription sets, we could put bad application servers into subscription sets that we don't check often (or we only check with high urgency) depending on our current state.
- [Webpush] bad application servers Martin Thomson