from Hacker News

Simple Ways to Protect an API

by nwjsmith on 6/25/14, 3:20 PM with 10 comments

  • by lsh123 on 6/25/14, 8:41 PM

    It is not 100% clear but it looks like the authentication credentials in the blog post are static and are shared between clients (from the code comment: “In real applications, we will not have the authentication credentials lying around in code. We will store them in external configuration.”).

    This is REALLY bad idea to have static and shared credentials. Especially in the case of mobile client when the client code itself is in a "hostile" environment. A "bad" guy can inspect the code and extract the authentication credentials. As soon as it happens, you need to update all other clients to push the new shared secret.

    While OAuth protocol has a number of problems, it gets this right: all the tokens are specific to the client and the compromise of one token would not compromise others. The application can react by marking the compromised token as invalid on the server side without requiring expensive clients update.

  • by vijayaggarwal on 6/25/14, 3:56 PM

    According to RFC 2617[1], Both Digest and Basic Authentication are very much on the weak end of the security strength spectrum.

    [1]: http://tools.ietf.org/html/rfc2617#section-4.4

  • by mobiuscog on 6/25/14, 4:01 PM

    Why is the API accessible from the public internet if it's not a public API ?