[thelist] Webhook security

Bill Moseley moseley at hank.org
Tue Aug 28 11:52:51 CDT 2012

I want to implement webhooks -- user-defined URL callbacks that happen with
some event on our servers.   I would require all webhook (callbacks) over
SSL so that puts a requirement on the system I'm calling to support SSL,
which I'm ok with.

How can the system I'm calling authenticate that the request is coming from
my servers?   Since I require SSL one option is client certificates.   I've
not implemented client-side certs before, so not sure what is involved.
But, it seems like the best option.

Our IP addresses may change or come from different machines so they cannot
be used.

I could use some shared secret and build a hash of the return data to prove
I know the secret.   But, that does not prove the request is coming from my
servers -- just that whoever sent the request knows the secret.

And by that logic if I know the shared secret, and I send over SSL then I
could just send the shared secret back in the request without hashing any
of the data and just the fact that I'm sending the shared secret should
validate the request is coming from me (because only I know the secret).

I don't like overly complex hashing of parameters and all that when SSL
really handles authentication, message signing, man-in-the-middle, and
replay attack issues.

Bill Moseley
moseley at hank.org

More information about the thelist mailing list