Closed vandys closed 5 years ago
martinthomson
commented
6 years ago Actually, it is possible to whitelist push traffic to user agents, because they tend to be consolidated around a small set of services with well-known and publicised remote addresses.
That said, I don't believe this to be a goal here, and this would be a more appropriate comment for RFC 8030.
beverloo
commented
5 years ago Agreed - this specification assumes that the user agent has an established relationship with a push service, the infrastructure for which is defined in RFC 8030.
As you point out, many user agents choose to use a proprietary API between their client and server. I would recommend reaching out to those vendors for more information on their systems.
It might be worth mentioning that this API is unusual in that there's no way to read this spec and implement firewall or IDS policies in support of push traffic. Firebase exists, but does not appear to document any details of their implementation. The editors are clearly aware of the possibility of Apple or Microsoft implementations, each which will have unique "on the wire" behavior (in the absence of any standard). Thus, this API fans out into a murky and open-ended back end of protocol behavior, which will make it hard to manage, especially from a security perspective.
Please consider at least mentioning this very unusual approach in the security considerations.