I am hosting a script on my site, it will call the site from the domain name, using Curl and REST API,
I can't get the REST API working with the SSL Cert, I am not sure why.
But if I don't use the SSL and just send it unencrypted, does that mean someone on another pc somewhere can intercept my calls? Or would they need access to my sever to be able to "listen in"?
Basically I want to know how risky it is (will i get hacked) if I don't encrypted the calls?
If you are not using TLS while making calls to the REST API upstream, all the requests and responses will be sent as plaintext.
Since, you are making the calls upstream, whoever is present in the network path upstream, will be able to intercept your traffic. That typically means your site (or VPS) host, the ISP they use and whomever present in the logical network path up until the server hosting the service. If they are malicious they can tamper the data or log confidential information you send or receive.
does that mean someone on another pc somewhere can intercept my calls?
No, it is not like anyone on the internet can intercept your data. It is only the devices through which your packets are getting routed through will have the powers to intercept them.
Or would they need access to my sever to be able to "listen in"?
No, they do not need access to your server to do that. They can passively intercept the incoming and outgoing data.
Summary
It is always risky when you do not make use of TLS. But, you must already trust your host and the ISP they use, to have signed up with them. Although the attack surface is reduced in your case, it is not zero. So, I would highly recommend going with the TLS version of the API.
Better safe than to be sorry.
Related
I've just read this very interesting article: Principles for Standardized REST Authentication and I'm wondering why one should sign REST queries even when using SSL. In my understanding, signing REST queries lets the server ensure requests come from trusted clients.
Having said that, is signing really necessary considering that SSL also protects against man-in-the-middle attacks?
As stated on the Wikipedia article for HTTPS:
[...] HTTPS provides authentication of the web site and associated web server that one is communicating with, which protects against man-in-the-middle attacks. Additionally, it provides bidirectional encryption of communications between a client and server, which protects against eavesdropping and tampering with and/or forging the contents of the communication. In practice, this provides a reasonable guarantee that one is communicating with precisely the web site that one intended to communicate with (as opposed to an imposter), as well as ensuring that the contents of communications between the user and site cannot be read or forged by any third party. [...]
This is why you need HTTPS, so that the client "is sure" that it's requests are sent to the proper destination. The article you linked also says this:
If you are not validating the SSL certificate of the server, you don't know who is receiving your REST queries.
But HTTPS normally does not authenticate the client unless you configure the server to request a certificate from the client in order to perform mutual authentication. If you read the comments in the post you linked you will see people mentioning this:
If you are going to use https, why not use it fully, and ask for client side certificates too? Then you get a fully RESTful authentication method, because the client and the server are authenticated at the connection layer, and there is no need to bring authentication into the URI level.
But HTTPS with client-side certificates is more expensive and complex so most API providers keep "the normal" HTTPS to identify the server and use a lighter mechanism to identify the clients: the API keys. The API keys basically consist of a name which is public - for example "Johnny" - and a secret key which is private - for example a long string of randomly generated characters.
When you make a request to the server you include the name "Johnny" in the URL so that the server knows who sent the request. But the server doesn't just blindly trust you that you are "Johnny", you have to prove it by signing the request with the secret key which, because it's private, only the real "Johnny" knows.
A digital signature has legal implications such as non-repudiation, which any value transaction should require. It's not just a matter of authentication. A digital signature on an actual transaction is a much stronger piece of evidence in court than 'this conversation was carried out over SSL with mutual authentication so it must have been the defendant Your Honour'.
I am currently working on a website built with Backbone.js. The site has a RESTful API built in Symfony with FOSRestBundle. Developing was going fine, until I stumbled in to some user-related tickets.
From what I understand, the best way to handle this type of problem is with a token based system, where the user gets an access token after an approved login. I will describe my current perception of the workflow, and ask questions along the way. More importantly, please correct me if I have misunderstood.
First, the user the accesses the login form, then the user types in credentials, and an AJAX request is send to the server. From what I understand this should all be handled with SSL, but with Backbonejs, you can't simply say that the login page should be accessed with HTTPS, as Backbone is a one-page framework. So will this force me to use HTTPS through out the application?
In the next step, the REST server validates the credentials, and they are approved, then the REST server sends an access token to the client. Is this token saved (on the client-side) in local storage or a cookie?
Also is the login stored at the server, so that the REST server can log the user out after a certain amount of time?
Now, the client sends this access token along with other request, so that the server can identify the client, and approve the request or not. So the access token is also stored on the REST server?
Lastly is this what the smart people call "oauth", or does it relate to it?
Thank you.
Let's take your questions one at a time.
From what I understand this should all be handled with SSL, but with Backbonejs, you can't
simply say that the login page should be accessed with HTTPS, as Backbone is a one-page
framework. So will this force me to use HTTPS through out the application?
Ok, there's a lot to unpack there. Let's start with SSL/HTTPS. HTTPS is a protocol; in other words it defines how you send packets to/from the server. It has nothing whatsoever to do with whether your application is single or multi-page; either type of site can use either HTTP or HTTPS.
Now, that being said, sending login info (or anything else containing passwords) over HTTP is a very bad idea, because it makes it very easy for "bad people" to steal your users' passwords. Thus, whether you're doing a single-page or a multi-page app, you should always use HTTPS when you are sending login info. Since it's a pain to have to support both HTTP and HTTPS, and since other, non-login data can be sensitive too, many people choose to just do all of their requests through HTTPS (but you don't have to).
So, to answer your actual question, Backbone isn't forcing you to use HTTPS for your login at all; protecting your users' passwords is forcing you.
In the next step, the REST server validates the credentials, and they are approved, then
the REST server sends an access token to the client. Is this token saved (on the
client-side) in local storage or a cookie?
While any given framework might do it differently, the vast majority use cookies to save the token locally. For a variety of reasons, they're the best tool for that sort of thing.
Also is the login stored at the server, so that the REST server can log the user out
after a certain amount of time?
You've got the basic right idea, but the server doesn't exactly store the login ... it's more like the server logs the user in and creates a "session". It gives that session an ID, and then whenever the user makes a new request that session ID comes with the request (because that's how cookies work). The server is then able to say "oh this is Bob's session" and serve the appropriate content for Bob.
Now, the client sends this access token along with other request, so that the server can
identify the client, and approve the request or not. So the access token is also stored
on the REST server?
If you're running two separate servers they're not going to magically communicate; you have to make them talk to each other. For this reason your life will be easier if you can just have one (probably REST-ful) server for your whole app. If you can't, then your REST server is going to have to ask your other server "hey tell me about session SESSION ID" every time it gets a request.
Lastly is this what the smart people call "oauth", or does it relate to it?
Kind of, sort of, not really. OAuth is an authorization standard, so it's sort of tangentially related, but unless your login system involves a whole separate server you have no reason to use it. You could use OAuth to solve your "two servers, one REST-ful one not" problem, but that would probably be overkill (and regardless it's outside the scope of what I can explain in this one Stack Overflow post).
Hope that helps.
I am developing an iPhone application for my client in which I have to send requests to a Secure SSL Server(Client's server, everything is ready by server side) with certificate authentication.
I am not getting exact procedure, or exact code showing steps to be followed. (i.e Procedure is not clear to me)
If anybody can explain me the mechanism behind it, it will be helpful for me.
Thank you.
You need not to do anything.
Just use proper URL with https://
All the underlying complexity will be handled by NSURLConnection class. It is as same as calling any other network services.
Is a file transferred via SFTP any less secure than the same data transferred via SOAP into a database?
SFTP is very secure. The "S" in "SFTP" even stands for secure. That doesn't mean that a file transferred via SFTP is necessarily secure, of course -- just that if something goes wrong with the security, you probably have something else to blame other than SFTP. SFTP won't be the weak link. You could still have a weak password, lose your certificate, have the secret service raid your data center, etc.
However, SOAP has nothing to do with security. A SOAP request is a thing which can be secure or insecure depending on how it's sent. If you send SOAP over HTTP, it is incredibly insecure. If you send it over HTTPS, it can be relatively secure depending on how much you trust your CA. Using SOAP over HTTP is like leaving your UPS package on the doorstep. It's convenient but someone could walk by and take it.
Think about it this way: SOAP is the money, HTTPS is the armored car. Except sometimes the armored car is driven by the Chinese government to a completely different location, unless you have a rule in place to prevent that from happening. (Google Chrome, for example, uses a whitelist for CAs on specific domains.)
Summary:
SFTP is secure, if you get your certificates right.
SOAP over HTTPS is secure, if you get your certificates right.
SOAP over HTTP or SMTP is insecure.
Getting your certificates right is the only hard part about this.
I have a set of REST services that I ONLY want my web application to consume. I do not want my users to be able to use their credentials and have the services consumed by a third party application (since my data is paid for). I there a way to ensure that only my javascript can make calls to the services from a browser that cannot be spoofed (request headers and user agent detection for instance will not work.)
This is probably more of a creative problem.
I am also providing a REST API. I use a mix of an API Key which is always static an can be spoofed. Next is a signature which will be generatet on clinet side and prooved on server side on each request. The signature is build by a combination of all parameters AND a secret password. this prevent a man in the middle from executing for example the same call with another parameter.
Only bad is that a spoofed request can be sent again. I dont know already how to prevent that.
Signed client certificates and HTTPS.