[thelist] Webhook security
jayturley at gmail.com
Tue Aug 28 13:05:30 CDT 2012
On Aug 28, 2012, at 9:52 AM, Bill Moseley <moseley at hank.org> wrote:
> I want to implement webhooks -- user-defined URL callbacks that happen with
> some event on our servers. I would require all webhook (callbacks) over
> SSL so that puts a requirement on the system I'm calling to support SSL,
> which I'm ok with.
> How can the system I'm calling authenticate that the request is coming from
> my servers? Since I require SSL one option is client certificates. I've
> not implemented client-side certs before, so not sure what is involved.
> But, it seems like the best option.
> Our IP addresses may change or come from different machines so they cannot
> be used.
> I could use some shared secret and build a hash of the return data to prove
> I know the secret. But, that does not prove the request is coming from my
> servers -- just that whoever sent the request knows the secret.
> And by that logic if I know the shared secret, and I send over SSL then I
> could just send the shared secret back in the request without hashing any
> of the data and just the fact that I'm sending the shared secret should
> validate the request is coming from me (because only I know the secret).
> I don't like overly complex hashing of parameters and all that when SSL
> really handles authentication, message signing, man-in-the-middle, and
> replay attack issues.
> Bill Moseley
> moseley at hank.org
> * * Please support the community that supports you. * *
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !
More information about the thelist