保护的API:SSL和放大器; HTTP基本验证签名VS [英] Securing an API: SSL & HTTP Basic Authentication vs Signature
问题描述
在设计API为我们的Web应用程序,我们将使用自己的子域名作为用户名和生成API密钥/共享密钥。首先,它是确定使用子域名作为用户名?我没有看到产生的另一个重要的好处。
When designing an API for our web app, we'll use the their subdomain as the 'username' and generate an API key/shared secret. Firstly, is it ok to use the subdomain as the username? I don't see the benefit of generating another key.
不同的API似乎做两件事情之一:
Different APIs seem to do one of two things:
- 使用HTTP基本身份验证与SSL
- Use HTTP Basic Authentication with SSL
在每个请求的用户名设置为子域名和密码的API密钥。由于我们使用的是SSL,这应该是从欺骗安全的。
In every request the username is set to the subdomain and the password to the API key. Since we're using SSL then this should be safe from spoofing.
值得注意的API: 谷歌Checkout的, Freshbooks , GitHub的 ,的Zendesk
Notable APIs: Google Checkout, Freshbooks, GitHub, Zendesk
- 创建与共享密钥请求的签名
- Create a Signature of the Request with the Shared Secret
通常通过订购键/值对和使用HMAC-SHA1与共享秘密生成签名来实现的。签名然后与请求一起发送并验证在另一端
Normally achieved by ordering the key/value pairs and using HMAC-SHA1 with the shared secret to generate the signature. The signature is then sent with the request and verified at the other end.
值得注意的API: 谷歌Checkout的, <一href=\"http://docs.amazonwebservices.com/AmazonS3/latest/dev/index.html?RESTAuthentication.html\">Amazon AWS
Notable APIs: Google Checkout, Amazon AWS
PS:那毫无疑问,谷歌Checkout的支持
PS: thats no mistake, Google Checkout supports both
编辑:刚读的OAuth 2下探签名赞成通过SSL发送用户名/密码的
Just read that OAuth 2 is dropping signatures in favour of sending a username/password via SSL.
这是任何人都选取哪些任何意见:SSL VS签名
Any opinions from anyone on what to pick: SSL vs Signature?
推荐答案
HTTP基本身份验证通过SSL是从我的研究完全安全的。
HTTP Basic Authentication over SSL is perfectly secure from my research.
毕竟,使用SSL(严格TLS现)指在传输层进行加密,我们可以安全地假设过这是安全的,没有被篡改的任何信息。
After all, using SSL (strictly TLS now) means the transport layer is encrypted and we can safely assume any information passed over this is secure and has not been tampered with.
因此通过用户名和密码,而不会产生一个签名就足够了。
Therefore passing the username and password without generating a signature is sufficient.
这篇关于保护的API:SSL和放大器; HTTP基本验证签名VS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
