[Chicago] Secret stuff: additional detail

Robare, Phillip (TEKSystems) proba at allstate.com
Mon May 16 12:48:44 EDT 2016 

Like Adam I am not sure of the constraints you are working under or exactly what you are trying to do.  So this is a guess at restating it.

You have a website running on a server whose security is questionable.

The user in their browser initiates an action that you wish to have ACID properties (Atomic, Consistent, Isolated, Durable) as well as CAINE properties (Confidentiality, Integrity, Authenticated, Non-Repudiation, Encrypted).  Throw enough bull stuff acronyms around and your client may be impressed enough to allow you to do things the right way.

You might try OWASP.org and the articles there.  If nothing else you may be able to collect enough examples of hacks to scare your client into acknowledging that the Internet really can be a scary place.  Another resource is RFC1825 which discusses Key Management and other architectures involved in creation of secure services of IP.

You also might think of architectures like what Adam referred to where the webserver passes the actual secure work off to another server with better security.  Typically the second server will only accept connections from the web server(s) it knows - which limits the attack surface exposed on your WordPress site.

Good luck with your attempt to educate your client.

Phil Robare

From: Chicago [mailto:chicago-bounces+proba=allstate.com at python.org] On Behalf Of Adam Forsyth
Sent: Saturday, May 14, 2016 4:55 PM
To: The Chicago Python Users Group <chicago at python.org>
Subject: Re: [Chicago] Secret stuff: additional detail

Leon,
If you're saying you'd need the secret key to be present client-side in the customer's web browser, then no, that isn't secure.
You need a server-side component, or you need to get some sort of one-time use, limited scope key that can only be used to take the action the customer is permitted to take -- and whether or not that's possible depends on what the API is you're interacting with.


On Sat, May 14, 2016 at 4:40 PM, Leon Shernoff <leon at mushroomthejournal.com<mailto:leon at mushroomthejournal.com>> wrote:
@ my question of 4:05pm

I should also add that this is a WordPress site, so it's not a situation where I can do things with the server's system itself. :/

--
Best regards,
    Leon

"Creative work defines itself; therefore, confront the work."
     -- John Cage


Leon Shernoff
1511 E 54th St, Bsmt
Chicago, IL  60615

(312) 320-2190<tel:%28312%29%20320-2190>

_______________________________________________
Chicago mailing list
Chicago at python.org<mailto:Chicago at python.org>
https://mail.python.org/mailman/listinfo/chicago<https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.python.org_mailman_listinfo_chicago&d=CwMFaQ&c=gtIjdLs6LnStUpy9cTOW9w&r=VXIryE9UwJGlNMLzgMzDT4_t2NMrZf6alSphHwSEwC0&m=Qjv-ibCR2PwjZVVC67elJ22sHMjYfRHVTrWzsR7vVcE&s=hlMbGp4GVHN-hWXxV1_7A3BzZDW7GvxVHHVBC6-q3ZA&e=>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/chicago/attachments/20160516/cf19d68b/attachment.html>

More information about the Chicago mailing list