Parse.com拒绝服务超过突发数量限制 [英] Parse.com Denial of Service by exceeding burst limit
问题描述
我已经使用Parse使用从Parse.com网站下载的iOS SDK创建iOS应用程序.
I've used Parse to create an application for iOS using the iOS SDK downloaded from the Parse.com website.
为了创建这种应用程序,ApplicationID和ClientID密钥都嵌入在iOS应用程序中,并且在使用该应用程序时从应用程序发送到服务器.这实际上使ApplicationID和ClientID清晰可见,因此任何用户都可以编写一个小程序,该程序将反复调用我的应用程序的各种Parse api.
In order to create this kind of application the ApplicationID and ClientID keys are both embedded in the iOS app and sent from the app to the server when the application is used. This essentially puts the ApplicationID and ClientID in plain sight so any user can write a small program which would repeatedly call the various Parse apis of my application.
我已遵循解析教程中的所有安全建议,并且所有数据均具有适当的角色和ACL.
I have followed all the security advise in the parse tutorials and all the data has appropriate roles and ACLs.
但是,一个简单的用户只需每秒调用我的解析应用程序的登录api超过30次,就可以关闭我的整个应用程序.
我是否缺少某些东西,或者这是将Parse.com用作iOS应用程序的后端的 FATAL 缺陷?
Am I missing something or is this a FATAL flaw in using Parse.com as a backend from an iOS app?
有人可以解决这个问题吗?
Does anyone have a solution to this problem?
推荐答案
您始终可以通过应用 默默无闻的安全;-)
You can always reduce the chance substantially by applying Security by Obscurity ;-)
您可以加密密钥并将解密功能直接放在JavaScript内.通过将该功能隐藏在一个没人喜欢的大型讨厌脚本的中间,然后缩小JavaScript(无论如何,您应该这样做),可以进一步使查找变得更加困难.我相信有可能获得更多的创造力"并达到合理的完美程度:-)
You can encrypt your keys and place decryption function right inside your JavaScript. You can further make it harder to find by hiding that function in the middle of a large nasty script that nobody would enjoy, and then minify your JavaScript (which you should be doing anyway). I am sure it is possible to get even "more creative" and reach some reasonable perfection :-)
但是,从原则上讲,对于一个动机足够高的黑客来说,仍然有可能对您的程序进行反向工程并获取密钥.仍然可以使它变得足够困难,因此黑客可能会寻找更容易的目标,据我们所知,目标很多;-)
It remains, however, possible, in principle, for a sufficiently motivated hacker to reverse-engineer your program and get the keys. Still you can make it hard enough, so the hacker will likely look for easier targets, of which there is plenty as we know ;-)
也请参见此处 了解更多想法.
这篇关于Parse.com拒绝服务超过突发数量限制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
