We want to embed an ajax style service into a number of our websites each with a unique api key. The problem that I can see is that because the api key is stored in the javascript file the user could potentially take the key, spoof the http referrer, and make millions of requests to the api under that api key.
我们希望将ajax样式的服务嵌入到许多具有唯一api键的网站中。我看到的问题是,由于api密钥存储在javascript文件中,因此用户可能会获取密钥,欺骗http引用者,并在该api密钥下向api发出数百万个请求。
So I am wondering how Google prevents Analytics spoofing? As this uses almost the same idea.
所以我想知道谷歌阻止分析欺骗呢?这几乎用同样的想法。
I'm also open to other ideas, essentially here is the process.
我也开放给其他的想法,基本上是这个过程。
SiteA -> User <-> Ajax <-> SiteB
SiteA ->用户<-> Ajax <->站点。
EDIT - is there any way to protect the API from being abused while having it called via ajax?
编辑——有什么方法可以在通过ajax调用API时保护API不被滥用?
2 个解决方案
#1
11
I don't believe there are any such protection measures in place. Spoofing of traffic is a serious problem for other Google services, such as Adwords. For instance a malicious individual who is bidding on adwords can generate many fake clicks for their competitor's ads to drive up their advertising costs and thus Google's stock price. The inverse is also true, people will generate fake clicks on their site to get extra money from a PayPer Click ad on their site.
我认为目前还没有这样的保护措施。对其他谷歌服务(如Adwords)来说,流量欺骗是一个严重的问题。例如,一个恶意的人,在广告上出价,可以产生许多虚假点击的竞争对手的广告,以提高他们的广告费用和因此谷歌的股票价格。反过来也是一样,人们会在他们的网站上产生虚假点击,从他们网站上的点击广告获得额外的收入。
At the end of the day a hacker can amass a list of 10,000+ anonymous proxy servers without too much difficulty and there isn't much you can do about it. A hacker could also use a botnet, some of which are millions in size. Traffic generated from a botnet can appear to be legitimate machines with a legit Google Cookie, because they where hijacked.
在一天结束的时候,黑客可以毫无困难地收集10000多个匿名代理服务器的列表,对此你也无能为力。黑客还可以使用僵尸网络,其中一些规模达数百万。僵尸网络产生的流量可能看起来是合法的机器,带有合法的谷歌Cookie,因为它们被劫持了。
Many proxies and bonet'ed machines are enumerated by Realtime Black Lists (RBL) such as the one run by http://www.spamhaus.org , and many legitimate ip addresses are also on that list. There are also proxies that can't be used for spam but could be used for click fraud and thus they won't be on that list.
许多代理和bonet'ed机器都是由实时黑列表(RBL)枚举的,比如http://www.spamhaus.org所运行的一个,许多合法的ip地址也在这个列表中。还有一些代理不能用于垃圾邮件,但可以用于点击欺诈,因此它们不会出现在列表中。
#2
0
At a guess, I'd say the key is one half of a public-private key pair that (somehow) includes the URL as a hash. This way, the key will only work, and the hits only registered, if the request is for the URL for which the key was generated. You can't spoof the request, because if you do it goes to the wrong URL and nothing happens.
我猜,密钥是公私密钥对的一半,(不知怎么地)将URL包含为散列。这样,如果请求的是生成密钥的URL,那么密钥只会工作,而命中的部分只会被注册。你不能欺骗请求,因为如果你这样做了,就会出现错误的URL,什么也不会发生。
#1
11
I don't believe there are any such protection measures in place. Spoofing of traffic is a serious problem for other Google services, such as Adwords. For instance a malicious individual who is bidding on adwords can generate many fake clicks for their competitor's ads to drive up their advertising costs and thus Google's stock price. The inverse is also true, people will generate fake clicks on their site to get extra money from a PayPer Click ad on their site.
我认为目前还没有这样的保护措施。对其他谷歌服务(如Adwords)来说,流量欺骗是一个严重的问题。例如,一个恶意的人,在广告上出价,可以产生许多虚假点击的竞争对手的广告,以提高他们的广告费用和因此谷歌的股票价格。反过来也是一样,人们会在他们的网站上产生虚假点击,从他们网站上的点击广告获得额外的收入。
At the end of the day a hacker can amass a list of 10,000+ anonymous proxy servers without too much difficulty and there isn't much you can do about it. A hacker could also use a botnet, some of which are millions in size. Traffic generated from a botnet can appear to be legitimate machines with a legit Google Cookie, because they where hijacked.
在一天结束的时候,黑客可以毫无困难地收集10000多个匿名代理服务器的列表,对此你也无能为力。黑客还可以使用僵尸网络,其中一些规模达数百万。僵尸网络产生的流量可能看起来是合法的机器,带有合法的谷歌Cookie,因为它们被劫持了。
Many proxies and bonet'ed machines are enumerated by Realtime Black Lists (RBL) such as the one run by http://www.spamhaus.org , and many legitimate ip addresses are also on that list. There are also proxies that can't be used for spam but could be used for click fraud and thus they won't be on that list.
许多代理和bonet'ed机器都是由实时黑列表(RBL)枚举的,比如http://www.spamhaus.org所运行的一个,许多合法的ip地址也在这个列表中。还有一些代理不能用于垃圾邮件,但可以用于点击欺诈,因此它们不会出现在列表中。
#2
0
At a guess, I'd say the key is one half of a public-private key pair that (somehow) includes the URL as a hash. This way, the key will only work, and the hits only registered, if the request is for the URL for which the key was generated. You can't spoof the request, because if you do it goes to the wrong URL and nothing happens.
我猜,密钥是公私密钥对的一半,(不知怎么地)将URL包含为散列。这样,如果请求的是生成密钥的URL,那么密钥只会工作,而命中的部分只会被注册。你不能欺骗请求,因为如果你这样做了,就会出现错误的URL,什么也不会发生。