Home/ Questions/Q 525051
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T08:37:53+00:00

My app must read an SSL url from a third party. How do I

  • 0

My app must read an SSL url from a third party. How do I best store the third party credentials in my own database, which protects the third party credentials from being compromised? Consider both absolute security and practicality. One-way hashing the credentials is not useful as I must restore credentials to plaintext for the SSL call. I’m using python on google app engine, and my app authenticates with google credentials.

  • encrypt credentials using e.g. AES and save the encryption key somewhere else (just moves the problem), or derive it from the credentials and keep the algorithm secret (just moves the problem)
  • encrypt credentials using a synchronous stream cipher, derive the (not)entropy from the credentials and keep the algorithm secret (just moves the problem)
  • on a separate web app dedicated to storing third party credentials, provide a SSL url to receive the third party credentials, this url is accessed with google credentials (same as my app) and can use authsub or something to transfer authorization to the other web app. this sounds more secure because its harder to hack a trivially simple webapp, and if my complex main app gets compromised the third party credentials aren’t exposed.

what do you think about all approaches?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It’s a difficult task, and no approach will save you the trouble to make sure that there is no weak link. For starters, I wouldn’t know if hosting on Google is the best way to go, because you will be forfeiting control (I really don’t know if App Engine is designed with the required level of security in mind, you should find that out) and probably cannot do penetration testing (which you should.)

    Having a separate small application is probably a good idea, but that doesn’t save you from having to encrypt one way or the other the credentials themselves in this smaller app. It just buys you simplicity, which in turn makes things easier to analyze.

    I personally would try to design the app so the key changes randomly after each use, having a kind of one time pad approach. You don’t specify the app in enough detail to see if this is feasible.

    • 0