[Project_owners] Protecting a Shared Secret

Brian King brian at mozdev.org
Thu May 25 12:19:32 EDT 2006

I have an extension that implements a public API which needs to have an 
API key and a shared secret. Each user must give the extension 
permission to access their data on this public service.

The problem is that, as a javascript application, our shared secret
will be in clear view in the deployed code. This means that, 
potentially, anyone can write their own application with our shared 
secret and pretend to be us, accessing user data with the same 
permissions that the user gave us.

The options are:

1. Leave secret key in the code. This is easiest solution, but
clearly undesirable, for the reason above.
2. Ask each user to register their own key and specify that for their
local copy. This is not a ideal solution because it presents such a
big hurdle to non-technical or casual users.
3. Proxy. Shared secret is stored on a server somewhere. The extension 
sends all API requests through that server, which then signs the 
requests with the keys. This requires some service on some server to be 
always available. If the extension became popular, this might not scale 
plus it adds an extra request level and delay for each operation.
4. XPCOM. We could 'hide' our secret key in a small, compiled XPCOM
component, and keep the source secret. This would disguise our shared
secret to casual snoopers. Although it may be possible to reverse 
engineer this component.

Anyone else run into a similar issue and find a decent solution?

Brian King
www.mozdev.org - free project hosting for the Mozilla community

More information about the Project_owners mailing list