From owner-freebsd-chromium@FreeBSD.ORG Thu May 30 19:22:10 2013 Return-Path: Delivered-To: freebsd-chromium@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 554ED6BE for ; Thu, 30 May 2013 19:22:10 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id 3A7F4F40 for ; Thu, 30 May 2013 19:22:10 +0000 (UTC) Received: from zeta.ixsystems.com (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id A887EEA0F; Thu, 30 May 2013 12:22:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1369941729; bh=CzjU6rkY7XDKUs4RqSrsrsPhA+k3ibwzuVLIli7qN/I=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=ISBO50GpO0HDEfSsN37IZL0SRC5LoSpyoTtyuEnONP3nuK7i8ovpLrLyhMUnpRU3P xGHWDsLSB2OejZ9hFrJDcavMh8PzS+oFLWw+pEBUSqZTaVNSeKGgtSRQRdVb+tsAef joHAnmDzjSUtInucWsGy+WR9Ahj/Dox1+Jd880zo= Message-ID: <51A7A6E1.3000104@delphij.net> Date: Thu, 30 May 2013 12:22:09 -0700 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: George Liaskos Subject: Re: using API keys in the FreeBSD Chromium port References: <51A5F67F.3010706@freebsd.org> <51A6EFE3.7030306@delphij.net> In-Reply-To: X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Kris Moore , freebsd-chromium@freebsd.org, d@delphij.net, phajdan.jr@chromium.org X-BeenThere: freebsd-chromium@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: d@delphij.net List-Id: FreeBSD-specific Chromium issues List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 May 2013 19:22:10 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 05/30/13 11:46, George Liaskos wrote: >> >> What's the purpose of these keys? E.g. are they used to encrypt >> sensitive information, or are they used to identify that "this >> user is running this client, unchanged"? >> > > From what i understand, the key should be unique per "derivative". > It's used to identify the client, like User Agent one could say but > with a quota on API calls. > > In this sense the "Official" Chromium port on FreeBSD should have a > unique key. > > https://groups.google.com/a/chromium.org/forum/?fromgroups#!topic/chromium-dev/Qks4W0xLxqc Ah, > ok so this is for identifying the client. I personally don't think this would work though. In order to do this, I think the only way would be: - Don't ship the port with a key. Instead, require the builder (currently everyone who runs FreeBSD) to acquire one for themselves. When the key is not present, don't build the features that requires an API key. - On FreeBSD package building cluster (as well as PC-BSD ones), deploy the "official" key and make binaries there. I don't see how this would even work as expected, though: the key is embedded in the binary and thus anyone who can run the binary and have debugging tools would be able to extract it. This situation is totally different from normal OAuth scenario, where API key is deployed on servers and protected from being accessed by average users, and the API provider can easily block misbehaving client when the key is "stolen". Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJRp6bhAAoJEG80Jeu8UPuzQusH/2ZmNiv70gPN3U/mioK+O827 lTvIo1ljPQudNwco+EcXxHinJmKYj36dKxtmU4ByJQmpCazBRRufzc0Zc6dZd2FX v5cwc6QQH9o0gAFafZS1nPxREoBoBQNmxtyutxjseeEqs+e0zbxix4RQJorZXNgE I2VyOwiVyxeCaeooa83h/0ll0AkQYn9ny/lDJUoph3rq1nGgX8esIO4XdVORXFPJ mHeixoI+aRtZ963p4T9ljEnJ4yP+nVqIcpsdL8nHQOdiPuNnNdc79AE4d7RhAaaF LQ3wdj9tRsA3cgmUGe37jkT3VuGEhIi6jci+W1k2uyiecqy4Qfs2lNdj+MOcOPA= =OYyE -----END PGP SIGNATURE-----