[Project_owners] Protecting a Shared Secret
brian at mozdev.org
Thu May 25 12:19:32 EDT 2006
I have an extension that implements a public API which needs to have an
API key and a shared secret. Each user must give the extension
permission to access their data on this public service.
will be in clear view in the deployed code. This means that,
potentially, anyone can write their own application with our shared
secret and pretend to be us, accessing user data with the same
permissions that the user gave us.
The options are:
1. Leave secret key in the code. This is easiest solution, but
clearly undesirable, for the reason above.
2. Ask each user to register their own key and specify that for their
local copy. This is not a ideal solution because it presents such a
big hurdle to non-technical or casual users.
3. Proxy. Shared secret is stored on a server somewhere. The extension
sends all API requests through that server, which then signs the
requests with the keys. This requires some service on some server to be
always available. If the extension became popular, this might not scale
plus it adds an extra request level and delay for each operation.
4. XPCOM. We could 'hide' our secret key in a small, compiled XPCOM
component, and keep the source secret. This would disguise our shared
secret to casual snoopers. Although it may be possible to reverse
engineer this component.
Anyone else run into a similar issue and find a decent solution?
www.mozdev.org - free project hosting for the Mozilla community
More information about the Project_owners