using API keys in the FreeBSD Chromium port
Paweł Hajdan, Jr.
phajdan.jr at chromium.org
Thu May 30 20:23:51 UTC 2013
René should now have an official response from an @google.com e-mail.
Please let me know if after that there are still some issues - and consider
https://groups.google.com/a/chromium.org/forum/#!forum/chromium-packagersfor
further questions. :)
Paweł
On Thu, May 30, 2013 at 12:22 PM, Xin Li <delphij at delphij.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 05/30/13 11:46, George Liaskos wrote:
> >>
> >> What's the purpose of these keys? E.g. are they used to encrypt
> >> sensitive information, or are they used to identify that "this
> >> user is running this client, unchanged"?
> >>
> >
> > From what i understand, the key should be unique per "derivative".
> > It's used to identify the client, like User Agent one could say but
> > with a quota on API calls.
> >
> > In this sense the "Official" Chromium port on FreeBSD should have a
> > unique key.
> >
> >
> https://groups.google.com/a/chromium.org/forum/?fromgroups#!topic/chromium-dev/Qks4W0xLxqc
>
> Ah,
> >
> ok so this is for identifying the client. I personally don't
> think this would work though.
>
> In order to do this, I think the only way would be:
>
> - Don't ship the port with a key. Instead, require the builder
> (currently everyone who runs FreeBSD) to acquire one for themselves.
> When the key is not present, don't build the features that requires an
> API key.
> - On FreeBSD package building cluster (as well as PC-BSD ones),
> deploy the "official" key and make binaries there.
>
> I don't see how this would even work as expected, though: the key is
> embedded in the binary and thus anyone who can run the binary and have
> debugging tools would be able to extract it. This situation is
> totally different from normal OAuth scenario, where API key is
> deployed on servers and protected from being accessed by average
> users, and the API provider can easily block misbehaving client when
> the key is "stolen".
>
> Cheers,
> - --
> Xin LI <delphij at delphij.net> https://www.delphij.net/
> FreeBSD - The Power to Serve! Live free or die
> -----BEGIN PGP SIGNATURE-----
>
> iQEcBAEBCgAGBQJRp6bhAAoJEG80Jeu8UPuzQusH/2ZmNiv70gPN3U/mioK+O827
> lTvIo1ljPQudNwco+EcXxHinJmKYj36dKxtmU4ByJQmpCazBRRufzc0Zc6dZd2FX
> v5cwc6QQH9o0gAFafZS1nPxREoBoBQNmxtyutxjseeEqs+e0zbxix4RQJorZXNgE
> I2VyOwiVyxeCaeooa83h/0ll0AkQYn9ny/lDJUoph3rq1nGgX8esIO4XdVORXFPJ
> mHeixoI+aRtZ963p4T9ljEnJ4yP+nVqIcpsdL8nHQOdiPuNnNdc79AE4d7RhAaaF
> LQ3wdj9tRsA3cgmUGe37jkT3VuGEhIi6jci+W1k2uyiecqy4Qfs2lNdj+MOcOPA=
> =OYyE
> -----END PGP SIGNATURE-----
>
More information about the freebsd-chromium
mailing list