a suggestion
3 views
Skip to first unread message
livibetter
Feb 20, 2008, 10:18:42 AM2/20/08
to Twitxr API developers
Hi,
First I am not an expert of security, but I am thinking these:
About the authentication of API, I think it's no secure enough.
Because HTTP 1.1 Basic Auth has no encryption, if just send md5(pass)
and the user uses lazy password, or short password, then the password
will be found soon.
I suggest it to be
http://user:md5(pass+email)@twitxr.com/api/rest/method?param1=value¶m2=value
That will be longer, and prevent from lazy password problem.
Second thing is the website doesn't support HTTP over SSL while
logging process. Although it uses md5 hash before sending login
information, it's still not secure. The reason is the same as
mentioned above.
First I am not an expert of security, but I am thinking these:
About the authentication of API, I think it's no secure enough.
Because HTTP 1.1 Basic Auth has no encryption, if just send md5(pass)
and the user uses lazy password, or short password, then the password
will be found soon.
I suggest it to be
http://user:md5(pass+email)@twitxr.com/api/rest/method?param1=value¶m2=value
That will be longer, and prevent from lazy password problem.
Second thing is the website doesn't support HTTP over SSL while
logging process. Although it uses md5 hash before sending login
information, it's still not secure. The reason is the same as
mentioned above.
livibetter
Feb 20, 2008, 10:34:20 AM2/20/08
to Twitxr API developers
I think I made a big mistake.
If someone can intercept what is sending to Twitxr:
http://user:md5(pass+email)@twitxr.com/api/rest/method?param1=value&p...
This won't help. Someone can use http://user:md5(pass+email)@twitxr.com/
with their own method and parameters
It should be something like
http://user:md5(pass+email+/api/rest/method?param1=value&p...
)@twitxr.com/api/rest/method?param1=value&p...
However this is still not safe, they can keep sending that. Digest
authentication may help.
On Feb 20, 11:18 pm, livibetter <livibet...@gmail.com> wrote:
> Hi,
>
> First I am not an expert of security, but I am thinking these:
>
> About the authentication of API, I think it's no secure enough.
> Because HTTP 1.1 Basic Auth has no encryption, if just send md5(pass)
> and the user uses lazy password, or short password, then the password
> will be found soon.
>
> I suggest it to be
>
> http://user:md5(pass+email)@twitxr.com/api/rest/method?param1=value&p...
If someone can intercept what is sending to Twitxr:
http://user:md5(pass+email)@twitxr.com/api/rest/method?param1=value&p...
This won't help. Someone can use http://user:md5(pass+email)@twitxr.com/
with their own method and parameters
It should be something like
http://user:md5(pass+email+/api/rest/method?param1=value&p...
)@twitxr.com/api/rest/method?param1=value&p...
However this is still not safe, they can keep sending that. Digest
authentication may help.
On Feb 20, 11:18 pm, livibetter <livibet...@gmail.com> wrote:
> Hi,
>
> First I am not an expert of security, but I am thinking these:
>
> About the authentication of API, I think it's no secure enough.
> Because HTTP 1.1 Basic Auth has no encryption, if just send md5(pass)
> and the user uses lazy password, or short password, then the password
> will be found soon.
>
> I suggest it to be
>
Albert (twitxr.com founder)
Feb 22, 2008, 4:14:06 AM2/22/08
to Twitxr API developers
We see your point and agree that our current API auth scheme is quite
weak several webapps are using something similar.
We are studying the possibility to switch to an 'auth tokens' based
scheme that wouldn't require anyone to send his password on any API
call (Flickr,Facebook among many others are using that)
Albert
On 20 feb, 16:34, livibetter <livibet...@gmail.com> wrote:
> I think I made a big mistake.
>
> If someone can intercept what is sending to Twitxr:http://user:md5(pass+email)@twitxr.com/api/rest/method?param1=value&p...
>
> This won't help. Someone can usehttp://user:md5(pass+email)@twitxr.com/
weak several webapps are using something similar.
We are studying the possibility to switch to an 'auth tokens' based
scheme that wouldn't require anyone to send his password on any API
call (Flickr,Facebook among many others are using that)
Albert
On 20 feb, 16:34, livibetter <livibet...@gmail.com> wrote:
> I think I made a big mistake.
>
> If someone can intercept what is sending to Twitxr:http://user:md5(pass+email)@twitxr.com/api/rest/method?param1=value&p...
>
Reply all
Reply to author
Forward
0 new messages