[Chicago] Handling secret stuff: update
Matthew Erickson
matt at soulrobotic.com
Mon May 16 22:39:04 EDT 2016
While we're jumping on security bandwagons, if keys could be extracted from web servers with relative ease, SSL would be more broken than it already is.
-- Matt
On May 16, 2016, at 21:16, Chris Foresman <foresmac at gmail.com<mailto:foresmac at gmail.com>> wrote:
Also, I'm guessing that PHP has some way to read in environment variables from the server its running on; this is typically the method used to secure API keys and the like on Django/Python web servers. Is this not an option for you?
Chris Foresman
foresmac at gmail.com<mailto:foresmac at gmail.com>
On May 16, 2016, at 7:43 PM, Adam Forsyth <adam at adamforsyth.net<mailto:adam at adamforsyth.net>> wrote:
Leon,
Please stop changing the subject of the thread, it makes it harder to follow the conversation and clutters up peoples' inboxes.
You're mistaken about it being a security problem if "dosomething.php" contains the secret key. If your web server is being configured correctly, the user of the site can't actually see the contents of "dosomething.php". The web server uses a PHP plugin to run "dosomething.php" as a program, and then sends its output to the web browser. So the contents of that file are secure -- anyone who has access to it already has access to the secret key.
On Mon, May 16, 2016 at 5:02 PM, Leon Shernoff <leon at mushroomthejournal.com<mailto:leon at mushroomthejournal.com>> wrote:
Hi, everyone
and thanks for the suggestions!
Thanks, Philip and Joshua. I have been reading OWASP and they are a big part of what scared *me* wrt this situation. :-)
Nick, I don't know how Django works. But @ the "code trail", Wordpress runs on php, which means that when you have a form on a page that's supposed to do stuff, the form says
<form action="complete_pathname/dosomething.php" method="post">
and the dosomething.php file is unencrypted text. If the that file contains or just is able to access the secret API key, I have a security problem. While a would-be hacker may not (shouldn't!) have permissions to get to that php file, they at least know where to look, or perhaps they can devise some method of triggering the form's actions and having its results directed to them. JavaScript has a similar problem -- any action you want a page to take is written down in unencrypted pages that are interpreted live. It sounds from what you're saying that Django has layers between the pages that it serves and code that it runs that make this not a problem.
In any case, this is the motivation behind my provisional idea of (something like) Japhy's solution -- I'm not running the host server, but at least perhaps I can trigger the more sensitive part of the operation by scheduled actions which are independent of anything that happens via a browser.
Thanks again. Your ideas help me think. :-)
--
Best regards,
Leon
"Creative work defines itself; therefore, confront the work."
-- John Cage
Leon Shernoff
1511 E 54th St, Bsmt
Chicago, IL 60615
(312) 320-2190<tel:%28312%29%20320-2190>
_______________________________________________
Chicago mailing list
Chicago at python.org<mailto:Chicago at python.org>
https://mail.python.org/mailman/listinfo/chicago
_______________________________________________
Chicago mailing list
Chicago at python.org<mailto:Chicago at python.org>
https://mail.python.org/mailman/listinfo/chicago
_______________________________________________
Chicago mailing list
Chicago at python.org<mailto:Chicago at python.org>
https://mail.python.org/mailman/listinfo/chicago
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/chicago/attachments/20160517/dbb6ef1f/attachment.html>
More information about the Chicago
mailing list