[Project_owners] Protecting a Shared Secret

Axel Hecht axel at pike.org
Fri May 26 10:59:36 EDT 2006

Brian King wrote:
> I have an extension that implements a public API which needs to have an 
> API key and a shared secret. Each user must give the extension 
> permission to access their data on this public service.
> The problem is that, as a javascript application, our shared secret
> will be in clear view in the deployed code. This means that, 
> potentially, anyone can write their own application with our shared 
> secret and pretend to be us, accessing user data with the same 
> permissions that the user gave us.
> The options are:
> 1. Leave secret key in the code. This is easiest solution, but
> clearly undesirable, for the reason above.
> 2. Ask each user to register their own key and specify that for their
> local copy. This is not a ideal solution because it presents such a
> big hurdle to non-technical or casual users.
> 3. Proxy. Shared secret is stored on a server somewhere. The extension 
> sends all API requests through that server, which then signs the 
> requests with the keys. This requires some service on some server to be 
> always available. If the extension became popular, this might not scale 
> plus it adds an extra request level and delay for each operation.
> 4. XPCOM. We could 'hide' our secret key in a small, compiled XPCOM
> component, and keep the source secret. This would disguise our shared
> secret to casual snoopers. Although it may be possible to reverse 
> engineer this component.
> Anyone else run into a similar issue and find a decent solution?

Whatever you do, any protocol can only be implemented by software, the 
the server can only verify that the software on the other side 
implements that protocol, not which software does.

You can use obfuscation to several degrees, but as soon as you send your 
secret to the client, if that's at install or even on runtime, it's not 
your secret anymore.

Having each user have their own secret is the one way to keep your 
secret secret, or proxy, that is, do all the queries yourself and keep 
your secret that way.

It probably depends on the API you're calling into which is the right 
thing to do.

Note, if you proxy, you may end up sharing your secret too, as a 3rd 
party could reverse engineer your proxy protocol and just use that ;-).

Thinking about it, you probably need a secret per user to keep it secret.


More information about the Project_owners mailing list