Securing an API: SSL & HTTP Basic Authentication vs Signature

Marcus picture Marcus · Apr 1, 2011 · Viewed 30.3k times · Source

When designing an API for our web app, we'll use the their subdomain as the 'username' and generate an API key/shared secret. Firstly, is it ok to use the subdomain as the username? I don't see the benefit of generating another key.

Different APIs seem to do one of two things:

  1. Use HTTP Basic Authentication with SSL

In every request the username is set to the subdomain and the password to the API key. Since we're using SSL then this should be safe from spoofing.

Notable APIs: Google Checkout, Freshbooks, GitHub, Zendesk

  1. Create a Signature of the Request with the Shared Secret

Normally achieved by ordering the key/value pairs and using HMAC-SHA1 with the shared secret to generate the signature. The signature is then sent with the request and verified at the other end.

Notable APIs: Google Checkout, Amazon AWS

PS: thats no mistake, Google Checkout supports both

Edit: Just read that OAuth 2 is dropping signatures in favour of sending a username/password via SSL.

Any opinions from anyone on what to pick: SSL vs Signature?

Answer

Marcus picture Marcus · Apr 5, 2011

HTTP Basic Authentication over SSL is perfectly secure from my research.

After all, using SSL (strictly TLS now) means the transport layer is encrypted and we can safely assume any information passed over this is secure and has not been tampered with.

Therefore passing the username and password without generating a signature is sufficient.