We've set up a SIP domain in Twilio and set up SIP users. SIP clients are able to connect to Twilio and send and receive phone calls.
Is there any way via the REST API to know whether or not a SIP client is connected and available before we route incoming calls to the SIP user?
Related
In my application, I am exposing a rest endpoint and configured it in twilio account for the incoming message.
Now since the request is not coming from a logged in user but from an external customer, there is no token sent in the request and so the exposed API is not secure.
Is there a way I can make it secure apart from making it a https call?
That is what x-twilio-signature should be used for. The Webhook requests from Twilio will have this HTTP Request Header. You can read more in implementation, below.
How to secure Twilio webhook URLs in Node.js
Security
Asides for what #Alan mentioned , I would also make your URL hard to guess.
https://softwareengineering.stackexchange.com/questions/325806/are-private-unguessable-urls-equivalent-to-password-based-authentication
What are the protocols used when logging in to facebook and using facebook messenger?
I read somewhere in google that the messenger uses MQTT protocol;
How can I catch and analyze its related network packets in Wireshark?
The mobile application is using the MQTT protocol. The messenger on the webpage on the other hand, along with the login page communicate through a standard HTTPS protocol as the remaining part of the application.
You can sniff the HTTPS packets being sent on the local network, through wireshark but since HTTPS is SSL encrypted, you will just see hashes in the response body and you will not see the actual text. That's probably the main reason why you couldn't find it. In wireshark the HTTPS is denoted as SSLv3.
I am hosting a script on my site, it will call the site from the domain name, using Curl and REST API,
I can't get the REST API working with the SSL Cert, I am not sure why.
But if I don't use the SSL and just send it unencrypted, does that mean someone on another pc somewhere can intercept my calls? Or would they need access to my sever to be able to "listen in"?
Basically I want to know how risky it is (will i get hacked) if I don't encrypted the calls?
If you are not using TLS while making calls to the REST API upstream, all the requests and responses will be sent as plaintext.
Since, you are making the calls upstream, whoever is present in the network path upstream, will be able to intercept your traffic. That typically means your site (or VPS) host, the ISP they use and whomever present in the logical network path up until the server hosting the service. If they are malicious they can tamper the data or log confidential information you send or receive.
does that mean someone on another pc somewhere can intercept my calls?
No, it is not like anyone on the internet can intercept your data. It is only the devices through which your packets are getting routed through will have the powers to intercept them.
Or would they need access to my sever to be able to "listen in"?
No, they do not need access to your server to do that. They can passively intercept the incoming and outgoing data.
Summary
It is always risky when you do not make use of TLS. But, you must already trust your host and the ISP they use, to have signed up with them. Although the attack surface is reduced in your case, it is not zero. So, I would highly recommend going with the TLS version of the API.
Better safe than to be sorry.
I'm currently using SendGrid's Inbound Parse Webhook to feed emails to my application. I've been able to get it working by pointing the URL to an endpoint which my application has exposed. SendGrid just sends the email in the form of a JSON format HTTP POST request to this endpoint and I just process each request internally.
My question is, now that I have it working, how do I ensure that only SendGrid can use this endpoint? At the moment, anyone can utilise this HTTP POST endpoint and pretend that an email has been sent to the application.
Can I get SendGrid to send some sort of unique key to identify themselves? Is there a way I can restrict by ip address?
There are two ways which you may secure your endpoint. SendGrid's webhooks support basic auth (e.g. https://user:pass#example.com/endpoint). You can also implement a unique key, that you check before acting upon the request (e.g. https://example.com/endpoint?key=123).
The simple answer, however, is anything that you add to the URL can act as unique authentication for SendGrid.
I have been asked to integrate Facebook Chat to my application using JavaScript only. I cannot use X Facebook platform authentication as it needs a domain URL. So my option is to set up an XMPP chat client using strophe.js via a digest MD5 SASL mechanism.
Regarding BOSH connect manager, http://bosh.metajack.im:5280/xmpp-httpbind. Is this enough or should I configure it in my server? I am using the Tomcat server.
Facebook does not do S2S federation, only C2S, so you will have to use that as your XMPP server (or implement something like XEP-0100 at your server). Facebook does not currently support BOSH, AFAIK.
from http://developers.facebook.com/docs/chat/
The DIGEST-MD5 SASL mechanism is available to support traditional XMPP
or multi-protocol IM clients that are
not customized for (or even aware of)
Facebook. This mechanism requires
prompting the user for his or her
password; therefore, it should only be
used when necessary. In particular, it
MUST NOT be used for any client that:
•Proxies the XMPP connection (the
connection must be directly from the
user's computer to Facebook).
•Reports
messages or any other information
about user activity to a third party
(including the client developer).
•Integrates with Facebook, or has a
Facebook Application ID. If your
application does any of the above, you
must use Facebook Platform
authentication instead.
So, you can't use DIGEST-MD5 with a bosh server but you must use X-FACEBOOK-PLATFORM