Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is an API key worthless over http since requested parameters can be sniffed?
Are they only reliable over https?
Even then, aren’t you relying on the client to be careful with their key?
No, because sniffing can only be performed if you are on the same LAN with the sysadmins being clueless about IT security, or if you can otherwise capture the transmitted traffic (which is typically pretty hard). Also, there exist technologies like IPSec that provide authenticity and privacy on the network layer.
So using plaintext authentication does not provide zero additional security.
This depends on your definition of “reliable”. See above. In any case, using transport security prevents attackers from reading your communication. If SSL is enforced, man-in-the-middle attacks are prevented as well.
Of course you do, you always have to trust your authorized users. This has nothing to do with API keys or passwords or anything.