Bitcoin Forum
December 12, 2017, 03:52:30 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: To MtGox, Intersango, etc : This would make your APIs much more secure  (Read 912 times)
Jason Ling
Jr. Member
*
Offline Offline

Activity: 35


View Profile
July 27, 2012, 10:27:23 AM
 #1

Please allow me to restrict the IP addresses that API calls for particular keys are allowed to originate from.
1513050750
Hero Member
*
Offline Offline

Posts: 1513050750

View Profile Personal Message (Offline)

Ignore
1513050750
Reply with quote  #2

1513050750
Report to moderator
1513050750
Hero Member
*
Offline Offline

Posts: 1513050750

View Profile Personal Message (Offline)

Ignore
1513050750
Reply with quote  #2

1513050750
Report to moderator
1513050750
Hero Member
*
Offline Offline

Posts: 1513050750

View Profile Personal Message (Offline)

Ignore
1513050750
Reply with quote  #2

1513050750
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1513050750
Hero Member
*
Offline Offline

Posts: 1513050750

View Profile Personal Message (Offline)

Ignore
1513050750
Reply with quote  #2

1513050750
Report to moderator
paraipan
Legendary
*
Offline Offline

Activity: 924


Firstbits: 1pirata


View Profile WWW
July 27, 2012, 10:35:09 AM
 #2

Please allow me to restrict the IP addresses that API calls for particular keys are allowed to originate from.

+1

BTCitcoin: An Idea Worth Saving - Q&A with bitcoins on rugatu.com - Check my rep
shtylman
Sr. Member
****
Offline Offline

Activity: 243



View Profile
July 27, 2012, 10:39:03 AM
 #3

Please allow me to restrict the IP addresses that API calls for particular keys are allowed to originate from.

Do you believe you or someone else has successfully been compromised by having their API accessed from an IP which was not theirs? If you only access from a given IP, why not keep the API key only on that box and not floating around in other places?

To be clear, I am not against this feature but do want to flush out the use case a bit more. Sometimes things that seem like security really just add more headache and little security.
davout
Legendary
*
Offline Offline

Activity: 1372


1davout


View Profile WWW
July 27, 2012, 11:16:22 AM
 #4

Sometimes things that seem like security really just add more headache and little security.
+1

gweedo
Legendary
*
Offline Offline

Activity: 1246


Java, PHP, HTML/CSS Programmer for Hire!


View Profile WWW
July 27, 2012, 09:32:08 PM
 #5

Please allow me to restrict the IP addresses that API calls for particular keys are allowed to originate from.

that is why they have api keys so that you can remove the key and access stops from the places you use that key

Want to earn 2500 SATOSHIS per hour? Come Chat and Chill in https://goseemybits.com/lobby
BitBuster
Member
**
Offline Offline

Activity: 101


View Profile
July 28, 2012, 02:48:06 PM
 #6

Please allow me to restrict the IP addresses that API calls for particular keys are allowed to originate from.
that is why they have api keys so that you can remove the key and access stops from the places you use that key
Yes, but if a key has been compromised, its more preferable that the hacker must break into your server as well to use it, rather than being able to use it from anywhere.

At the very least this should be an option and isn't difficult to implement.


BB.
Jason Ling
Jr. Member
*
Offline Offline

Activity: 35


View Profile
July 28, 2012, 03:03:57 PM
 #7

Please allow me to restrict the IP addresses that API calls for particular keys are allowed to originate from.

Do you believe you or someone else has successfully been compromised by having their API accessed from an IP which was not theirs? If you only access from a given IP, why not keep the API key only on that box and not floating around in other places?

To be clear, I am not against this feature but do want to flush out the use case a bit more. Sometimes things that seem like security really just add more headache and little security.


It really is simply security in depth.

Now by stealing my API keys, an attacker has pretty much full access to my account and all funds in it.

If IP address is restricted, this way he needs to gain control of the IP address as well.
BCB
CTG
VIP
Legendary
*
Offline Offline

Activity: 1036


BCJ


View Profile
July 28, 2012, 03:08:15 PM
 #8

This is implemented in more mature sites, like Perfect Money and Liberty Reserve.
Have they experienced any major hacks?  I don't know.   I think it's easier to to launch a warhead then it is to log in to liberty reserve.

We need current and future bitcoin business to mature.

It is also like fraud at fiat banks and credit card companies.  They expect a certain amount of fraud and write it off and until the pain of writing it off become greater then increasing the security practices.

As long as they are making money and clients use they services there will be little change.
BCB
CTG
VIP
Legendary
*
Offline Offline

Activity: 1036


BCJ


View Profile
July 28, 2012, 03:10:21 PM
 #9

Also, I've discovered a potential security issue with Mt. Gox's Google Auth OTP.  I alerted support last week.  I'm waiting to see if they respond.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!