Is there TLS/SSL support? Key is non encrypted on wire.

Questions about the WURFL Cloud service.
points
Posts: 5
Joined: Mon Nov 11, 2013 2:03 pm

Is there TLS/SSL support? Key is non encrypted on wire.

Postby points » Mon Nov 18, 2013 2:59 pm

Hi guys,

Using Wurfl Cloud standard licensing with Java and Python clients. I noticed that java client is making requests to api.wurflcloud.com without SSL/TLS layer. Look like the key is transmitted as part of Basic HTTP Auth over wire :(

Is there a way to enable encryption or TLS/SSL using Java and Python clients?

What happens if someone obtains our key which is highly likely given lack of encryption?

kamermans
Posts: 393
Joined: Mon Jun 06, 2011 9:50 am

Re: Is there TLS/SSL support? Key is non encrypted on wire.

Postby kamermans » Mon Nov 18, 2013 3:36 pm

The SSL handshake is expensive and increases HTTP latency, so we decided not to support it at the moment, although I wouldn't rule it out in the future. I don't think it is likely that someone will intercept your key unless you are on a shared hosting plan which allows root access and promiscuous mode virtual interfaces. Another possible attack angle is from the network providers, but this is also unlikely since there is relatively little to gain by stealing a WURFL Cloud account key. In any case, if there is a problem, you can change your API key at will from the WURFL Cloud control panel.
Thanks,

Steve Kamerman
ScientiaMobile

Make sure you check out our WURFL Cloud, WURFL InSight and WURFL InFuze products!

points
Posts: 5
Joined: Mon Nov 11, 2013 2:03 pm

Re: Is there TLS/SSL support? Key is non encrypted on wire.

Postby points » Mon Nov 18, 2013 3:38 pm

OK, Thanks.

Is there a way to cheaply determine that somebody else is using our key?

kamermans
Posts: 393
Joined: Mon Jun 06, 2011 9:50 am

Re: Is there TLS/SSL support? Key is non encrypted on wire.

Postby kamermans » Mon Nov 18, 2013 3:41 pm

We keep track of which IPs your requests are coming from, so I can have someone run a quick check for you. More often than not, higher-than-expected traffic is due to some automated bot or health check. You might want to take a look at your webserver access logs to see if there is something strange in there. We do attempt to remove this traffic from your stats, so you are welcome to share the User Agent of an offending service with us if you want, and we may include it.
Thanks,

Steve Kamerman
ScientiaMobile

Make sure you check out our WURFL Cloud, WURFL InSight and WURFL InFuze products!

points
Posts: 5
Joined: Mon Nov 11, 2013 2:03 pm

Re: Is there TLS/SSL support? Key is non encrypted on wire.

Postby points » Mon Nov 18, 2013 4:36 pm

Thanks Steve.


Who is online

Users browsing this forum: No registered users and 14 guests