On API keys...

[Bob Sneidar]

Mr. (Or should I say Doctor) Waddingham! This is a really brilliant essay on the risk, benefits and rewards in multiple scenarios concerning the storage of keys. I’ve mentioned before that I came up with the idea of “poisoning” the encrypted data before the data was transmitted. If intercepted in transit, the data itself could never be decrypted without knowing how it was poisoned and what was needed to “cleanse” it. And that would require access to either the API of the device doing the corruption or the cleansing, or else someone who knew the method. 

By using this method, all but physical and social vectors are nullified. And control of those vectors is an illusion. 

Bob S 

Sent from my iPhone

> On Jun 24, 2022, at 13:22, Mark Wieder via use-livecode <use-livecode at lists.runrev.com> wrote:
> 
> On 6/24/22 10:04, Mark Waddingham via use-livecode wrote:
> 
>> The only way to use these keys is from server scripts running on a server which you do your best to maintain the security of. Ideally these keys should be stored in files which are only readable by specific users - usually the web-server user which is running the backend scripts which needs to make the requests.
> 
> Or as server environment variables retrieved only by server scripts which are not user-accessible.
> 
> -- 
> Mark Wieder
> ahsoftware at gmail.com
> 
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode