Open matthewfl opened 10 years ago
mjallday
commented
10 years ago Great idea, it will make curl request examples much more complicated.
Would it make sense to offer the ability to offer both and recommend using the signing method as well as implement that by default in the client libraries?
matthewfl
commented
10 years ago I think that we should support both methods to keep curl and old clients working, but adding this to new api clients is just adding functionality
steveklabnik
commented
10 years ago I am not in favor of making things significantly more complex without good reason.
This may or may not be a good reason, just stating my conservatism here. :wink:
matthewfl
commented
10 years ago I guess if we keep using basic auth, we are assuming that ssl will never be broken again. I agree that this will complicate any client that implements it. But this address some issues about security of the network, and if we sign our responses, then it even can address certificate pinning in some ways.
mjallday
commented
10 years ago While we're talking about signing let's not forget the requests to sign webhook payloads. These two issues could piggy back on each other.
matthewfl
commented
10 years ago ya, signing the webhook is a similar issue, however if a marketplace has more then one api key which do you sign with?
mjallday
commented
10 years ago Share a secret that's independent of the API key? <can-o'-worms.jpg>.
matthewfl
commented
10 years ago imo with the webhook issue, I have thought that it would likely be better if ppl just used the api to preform a GET request of the item to confirm that it came from balanced. That is easier then signing and checking the signature of the request.
I guess that can be seen as more of a work around then a solution to some
steveklabnik
commented
10 years ago I guess if we keep using basic auth, we are assuming that ssl will never be broken again.
You are always trusting that something will never be broken. (and it's TLS, not SSL)
In light of recent ssl bugs, there are lots of questions about what has been compromised.
Currently balanced uses basic auth for the its secret api keys. This means that if someone was able to man in the middle or decrypt a request and get the api they will have unlimited access. (so make sure you change then often)
I am proposing instead of basic auth, the api support using the api key like a shared secret, which means that the requests (and maybe responses) can be signed using this shared secret. Additionally, since key is never sent directly over the network, this means that if someone was to man in the middle your requests, they would only be able to see the content that is currently passing between the two endpoints, and would not get unlimited access to the api.