"Writing Secure APIs" Armin Ronacher, PyCon Ru 2014

869 views

Published on

  • Be the first to comment

"Writing Secure APIs" Armin Ronacher, PyCon Ru 2014

  1. 1. Writing Secure APIs Armin Ronacher for PyCon.ru 2014
  2. 2. Armin Ronacher Independent Contractor for Splash Damage / Fireteam Doing Online Infrastructure for Computer Games lucumr.pocoo.org/talks
  3. 3. … but does it support SAML?
  4. 4. ≈Why Secure APIs?
  5. 5. Starbucks killed the enencrypted connection
  6. 6. your enemy surfs on the same Wifi as you
  7. 7. Things to secure: Session Cookies Access Tokens Credit Card Numbers …
  8. 8. don't be afraid of government, your enemy is sitting on the same Wifi
  9. 9. ?Which type of API?
  10. 10. Web vs Browser Web
  11. 11. It's all about the CAs Browsers trust Public CAs Services should trust Certificates
  12. 12. Browser Web You use HTTP And there is a good old browser Websites, JavaScript APIs, etc.
  13. 13. Web You use HTTP There is no browser Or it's a browser under your control Service to Service communication, Custom APIs, etc.
  14. 14. If there is no browser I do not need a public CA
  15. 15. If there is a browser there is not much you can do :'(
  16. 16. ?What does a CA do?
  17. 17. let's look at something else first
  18. 18. 0Understanding Trust
  19. 19. Authenticity Secrecy vs
  20. 20. Authenticity : the author of the message is the author the receiver knows and trusts.
  21. 21. Secrecy : nobody besides author and intended receiver read the message.
  22. 22. Authenticity Secrecy >
  23. 23. O OA OB E Authenticity: Eve

×