Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

REST authentication and exposing the API key

 
Raghvendra Pratap Singh
Greenhorn
Posts: 22
Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
[size=12 ]I've been reading up on REST and there are a lot of questions on SO about it, as well as on a lot of other sites and blogs. Though I've never seen this specific question asked...for some reason, I can't wrap my mind around this concept...

If I'm building a RESTful API, and I want to secure it, one of the methods I've seen is to use a security token. When I've used other APIs, there's been a token and a shared secret...makes sense. What I don't understand is, requests to a rest service operation are being made through javascript (XHR/Ajax), what is to prevent someone from sniffing that out with something simple like FireBug (or "view source" in the browser) and copying the API key, and then impersonating that person using the key and secret?[/size][
 
Pat Farrell
Rancher
Posts: 4678
7
Linux Mac OS X VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That is what SSL (aka TLS (aka HTTPS) is for. It is designed to prevent "man in the middle attacks" MITM where someone can snoop and see your passwords, api keys, etc.

However, its recently been made public that a fair number of smartphone browsers have deliberate MITM even when you use SSL. This is a disaster, because it break the architectural assumptions made when SSL was designed. Worse, its teaching consumers that it is OK to have some unknown company have the ability to snoop all of your data. Not only your passwords, but your bank and credit card account numbers, etc.

I'm always boggled by the deliberate and willful uses where vendors break what the consumers think is security.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic