应该APNS令牌进行加密? [英] Should APNS Tokens be encrypted?
问题描述
所以,我在想,既然用户发送他们的APNS令牌到APNS提供商,以接收推送通知,应令牌进行加密? SSL是必要的?
So, I was wondering, since users send their APNS tokens to the APNS provider in order to receive push notifications, should the tokens be encrypted? Is SSL necessary?
从我的数字是,有令牌没有真正的敏感数据。如果有人居然成功地嗅出从用户令牌,他仍然必须获得我推证书。如果他成功地做到这一点(他不会;-))他所能做的就是发送垃圾邮件通知该特定用户。那是对的吗?还是我错过了什么?
From what I figure is that there is no real sensitive data in the token. If someone actually managed to sniff the token from a user, he still would have to obtain my push certificate. And if he managed to do that (he won't ;-)) all he could do is send spam notifications to this particular user. Is that correct? Or did I miss something?
另外,我认为它基于一个APNS令牌是不可能识别设备(或更重要的是,它的用户)?
Also, I assume that it's not possible to identify a device (or more importantly, its user) based on an APNS token?
所以,我要确保,如果有人从我的一个客户(注册包含APNS令牌和用户感兴趣的信息嗅探推送通知登记,且连接unencryped所以一切都是纯可读文本)...
So, I want to assure that, if someone sniffs a push notification registration from one of my clients (the registration contains the APNS token and the information the user is interested in, and the connection is unencryped so everything is readable in plain text) ...
- 他仍然有获得我推的证书,以便能够打扰我的客户以任何方式
- 他知道的有人的有兴趣在这个信息,但无法确定我的客户是谁
- he still has to obtain my push certificate to be able to bother my client in any way
- he knows that someone is interested in this information, but has no way to identify who my client is
我可以放心了?
在此先感谢!
Can I rest assured? Thanks in advance!
推荐答案
SSL是几乎从来没有一个坏主意。缺少SSL意味着你的用户将容易受到像DNS中毒种种污秽,中间人,或嗅。
SSL is almost never a BAD idea. Lack of SSL means your users will be susceptible to all sorts of nastiness like DNS poisoning, man in the middle, or sniffing.
也许你担心的SSL证书的成本,或者你的服务器上的开销?我不知道 - 但我想说的是 - 也许值得考虑,如果你要支付给提供一些服务或正在收集个人身份信息
Maybe you're worried about the cost of an SSL cert, or the overhead on your servers? I don't know - but I'm just sayin' - probably worth considering if you're getting paid to provide some service or are collecting personally identifiable information.
否则,你在后点分别为pretty多的权利上。事实上,有人需要你推证书发送这些消息给这些用户。
Otherwise your points in the post were pretty much right on. The fact is someone would need your push certificate to send out those messages to those users.
另外,我认为它是不可能识别设备(或更多
重要的是,它的用户)基于一个APNS令牌?
Also, I assume that it's not possible to identify a device (or more importantly, its user) based on an APNS token?
到iOS 5之前,该ID是跨所有应用程序一致的 - 这样的汇总统计公司能够使用该ID有所识别特定的用户...至少要知道这是同一个人。但是,这改变了最近,它现在是一个随机的每个应用程序ID。
Prior to iOS 5, that ID was consistent across all apps - so aggregate stats companies were able to use the ID to identify a specific user somewhat... at least to know "this is the same person". But that changed recently, and it's now a random per-app ID.
这篇关于应该APNS令牌进行加密?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
