Brail’s Blog

Since the dawn of time (or so it seems) I’ve been maintaining several web sites that let you get subway directions for New York City. I started back in 1996 with a Java applet (which people still use) and over time I’ve migrated to a Google Maps application with a back end hosted in Google App Engine. This latest version, of course, depends on an API to calculate the subway route. Google themselves have since introduced a very nice addition to Google Maps that does this, but my interface is a bit different and sometimes the results are different, so I keep mine happily running as well.

Of course, trying to debug even a simple API like this can be a challenge, especially when it’s being invoked by the browser. How do I see the traffic between the browser and my API? How do I know if the browser is interpreting the response incorrectly or if the API is responding with incorrect data? Google App Engine is great but this kind of debugging isn’t its forte.

Here at Sonoa, the Apigee team has been working hard on a set of new features aimed at developers who produce and consume APIs, including some new features that address exactly my problem. Using the new debug screen in Apigee, I can watch API traffic in real-time, filter it in various ways in case I don’t want to see everything coming my way, and then see exactly what transpired between the client and the API — without changing anything on the client and server at all, since I was sending my API traffic through Apigee anyway. And now that people are using my application in real life, I can leave Apigee in place to see all the analytics that it generates, and then turn on the debug functionality only when I have a specific problem to solve.

There have been a few posts around the blogosphere this week about the meaning of “REST” web services and what it all means. Our corporate perspective at Sonoa is that we are happy to support all kinds of web services, but we see real advantages to following “REST” principles. I personally have seen examples, like the Twitter API, that clearly show how easy it can be for people to take advantage of an API when it’s built following the REST principles.

I’ve written some blogs on the Sonoa blog about this which will be appearing this week. Take a look!

http://blog.sonoasystems.com/detail/why_rest_security_actually_does_exist/

Things have been quiet here for a few months, but I’m still writing. For the past two months or so, I’ve been contributing a ton of content to the official Sonoa blog, including a few video tech talks as well as blog entries. A few entries I can think of include:

• An entry or two, and actually three, about security for APIs.
• Some thoughts on API visibility and Twitter.
• The first in a series of video chalk talks.

Over time, I won’t let this blog die, but I’ll instead use it to cover some of the other complicated techy stuff rattling around in my head, and keep writing about APIs and web services on the Sonoa blog.

A lot has been happening with OAuth recently. Not all of it has been good — a security hole was discovered in the protocol which exposes it to a potential “social engineering” attack. Right now would not be the best time to deploy a new API that uses OAuth — in fact, my colleague Gregory Haardt is also advising a little caution.

However, the OAuth community is working on a revision to the spec that will address the issue and it will not be long before there is a new protocol version which elminates this particular hole.

I wanted to bring up a related issue, which anyone implementing OAuth should keep in mind. Namely, how do you securely manage all those keys?

For example, let’s look at how companies manage traditional username / password authentication:

Anyone following good security practices does not just have a big database on the back end with a list of unencrypted passwords. Instead, a hash of the password is stored, preferably using a salt. As a result, someone who can read the password file can very easily verify that they have the right password, but they cannot figure out what the password is if they do not already know without doing a lot of work.

It is still critically important to protect access to these encrypted passwords, of course. Otherwise, an attacker can mount a dictionary attack to try and crack them. However, even if someone gains access to your entire database of encrypted passwords, they can still only easily gain access to lousy passwords. At least users who choose secure passwords are relatively safe.

(It is also critically important to protect access to the cleartext password, but at least this mechanism doesn’t require that it be stored in a database for all to see.)

As networking and middleware people, we spend a lot of time thinking about the security of our network protocols, and especially ensuring that someone eavesdropping on a network cannot grab our passwords and other sensitive data as they fly by. This aspect of security is important, or else the Internet never would have succeeded.

But how many times have we heard of a security breach caused by a stolen laptop, or purloined backup tapes, or an administrator who decided to trade his or her privileged access for a few quick bucks? It seems to me that we hear about those kinds of attacks a lot more often than we hear about someone who stole passwords from the wireless network at Starbucks. I would argue that protecting so-called “data at rest” is just as important, or maybe even more important, as protecting the data flying around your laptop.

Now, back to OAuth. Each “user” in OAuth holds something called an “access token,” which is like a username, and a “token secret,” which is like a password. When a request is sent over the network containing an OAuth authentication token, a bunch of data in the token is encrypted using the token secret, but the secret itself is never sent over the network. That way, regardless of whether SSL is in use, there is no way to gain access to the token secret by sniffing the network.

However, on the server side, in order to validate the OAuth token, the server must make the same calculation that the client made when it encrypted the data to put in the token. That means that both the client side and the server side in OAuth must be able to read the unencrypted token secret from some sort of database. Without it, OAuth doesn’t work. There’s no set of standard ways for storing those keys like there are for passwords, so presumably different implementations are storing them in different ways.

As a result, any client and any server that uses OAuth has to take extra-special care with all those token secrets. Otherwise, anyone who gets access to the database of tokens and secrets used by the back end servers immediately has access to all the OAuth-enabled accounts.

I am not suggesting a change to the OAuth protocol here — it solves an important problem (and more on that later).

However, I am suggesting that anyone who implements either the “service provider” or “consumer” side of OAuth take very special care of those tokens!

For instance:

• If they’re on a regular disk file, protect them using filesystem permissions, make sure that they’re encrypted, and hide the password well (because it’s not like you’re going to have an administrator type it in whenever you reboot, right?)
• If they’re in a database, encrypt the fields, store the key well, and protect access to the database itself carefully.
• If they’re in LDAP, do the same.

Come to think of it, perhaps the world needs a standard LDAP schema for storing OAuth secrets in a secure way. Anyone care to make a proposal?

Welcome to my blog!

I plan to use this blog to write mainly about my work at Sonoa. That means I’ll be talking about cloud services, web services, XML, RSS, and probably middleware, transaction processing, and SOA before long.