| # |
Apr 24th 2017, 10:45 |
NeoThermic|Work |
obfuscation strategies fall apart if enough samples are collected or the method of generation is known. |
| # |
Apr 24th 2017, 10:34 |
Neon1024 |
There are layers inbetween those things |
| # |
Apr 24th 2017, 10:34 |
Neon1024 |
Plus you should not be letting your url structure, and output of your api determine your internal data structure |
| # |
Apr 24th 2017, 10:34 |
 bravo-kernel |
I might have remember incorrectly though ;) |
| # |
Apr 24th 2017, 10:33 |
bravo-kernel |
Obfuscating numeric id using one of the strategies would make it near impossible to harvest using url guesses |
| # |
Apr 24th 2017, 10:33 |
bravo-kernel |
I do recall firm statements about not using uuid to not kill performance |
| # |
Apr 24th 2017, 10:32 |
bravo-kernel |
Check |
| # |
Apr 24th 2017, 10:31 |
dereuromark |
bravo: no its not :slightly_smiling_face: it appears to be - which sometimes can be enough |
| # |
Apr 24th 2017, 10:31 |
bravo-kernel |
Imo |
| # |
Apr 24th 2017, 10:31 |
bravo-kernel |
Obfuscation is as secure as it gets |
| # |
Apr 24th 2017, 10:31 |
dereuromark |
if you do, use uuid16 :slightly_smiling_face: |
| # |
Apr 24th 2017, 10:30 |
bravo-kernel |
Ask @dereuromark, do not use uiid for primary ids |
| # |
Apr 24th 2017, 10:27 |
spriz |
Sneaky :) |
| # |
Apr 24th 2017, 10:24 |
NeoThermic|Work |
e.g (sorry for the function chain, but to get one line): $base36uuid = gmp_strval(gmp_init(str_replace('-', '', CakeText::uuid()), 16) , 36); |
| # |
Apr 24th 2017, 10:22 |
NeoThermic|Work |
doubly so since you can express them as base 36 (once you remove the dashes) for shorter strings in URIs |
| # |
Apr 24th 2017, 10:21 |
NeoThermic|Work |
UUIDs are a great choice |
| # |
Apr 24th 2017, 10:21 |
spriz |
UUID for primary keys <3 |
| # |
Apr 24th 2017, 10:20 |
NeoThermic|Work |
I don't suggest muffin/obfuscate if you want any degree of actual secrecy, mind |
| # |
Apr 24th 2017, 10:20 |
NeoThermic|Work |
hmm |
| # |
Apr 24th 2017, 10:19 |
birdy247 |
ah I read as optimal :slightly_smiling_face: |
| # |
Apr 24th 2017, 10:19 |
bravo-kernel |
Gotta go, gl guys and girls |
| # |
Apr 24th 2017, 10:18 |
bravo-kernel |
Simply put: a must IMHO |
| # |
Apr 24th 2017, 10:18 |
bravo-kernel |
:face_with_rolling_eyes: |
| # |
Apr 24th 2017, 10:18 |
bravo-kernel |
Not optional |
| # |
Apr 24th 2017, 10:18 |
birdy247 |
Not optimal? |
| # |
Apr 24th 2017, 10:17 |
bravo-kernel |
No problem |
| # |
Apr 24th 2017, 10:17 |
bravo-kernel |
Using JsonApiListener is not even optional anymore IMO |
| # |
Apr 24th 2017, 10:16 |
birdy247 |
big thanks for writing that |
| # |
Apr 24th 2017, 10:16 |
birdy247 |
@bravo-kernel great API blog post |
| # |
Apr 24th 2017, 10:16 |
birdy247 |
:) |
| # |
Apr 24th 2017, 10:16 |
bravo-kernel |
s/use/you might want to use/ |
| # |
Apr 24th 2017, 10:15 |
bravo-kernel |
@birdy use muffin/obfuscate if you want to hide your (auto incremental) ids |
| # |
Apr 24th 2017, 10:14 |
Neon1024 |
You can thanks bravo-kernel |
| # |
Apr 24th 2017, 10:14 |
birdy247 |
the JsonApi is also sweet as |
| # |
Apr 24th 2017, 10:14 |
birdy247 |
Man, CRUD + API + Search = happy |
| # |
Apr 24th 2017, 10:05 |
Neon1024 |
https://youtu.be/3Neq2ey3mgE?t=18 |
| # |
Apr 24th 2017, 10:05 |
Neon1024 |
But you’ve got a CMS so you’ve already got SSL |
| # |
Apr 24th 2017, 10:04 |
Neon1024 |
So worth some SSL at an absolute minimum |
| # |
Apr 24th 2017, 10:04 |
Neon1024 |
Will just get session hijacked, or man-in-the-middle’d etc etc |
| # |
Apr 24th 2017, 10:04 |
Neon1024 |
So something like example.com/api/v1/secret-endpoint/918?password=foobar |
| # |
Apr 24th 2017, 10:03 |
Neon1024 |
Plus, urls are transparent. Whatever is in the url is readable by anyone |