Cryptography in Javascript

Asked

Viewed 4,021 times

8

On my site I use the Facebook API, through ACCESS_TOKEN. This 'key' of access to everything that the corresponding application can provide, that is, it is not feasible to leave it public. In view of this, I would like to know the best way to 'hide' this key. Below is part of the code referring to the question:

var endereco = "https://graph.facebook.com/"+ page_id +"/posts?access_token="+ token +"&limit=15";

      $.getJSON(endereco, function(data) {
          //função
      });
javascript cryptography facebook-graph-api
  • 1

    Hide this key from whom? From the user himself? Or from a third party?

  • 1

    Third party and the user himself. I use Jekyll and he has the option to host CMS on Github, as the source is opened in that repository, everyone will have access to my access_token. :(

  • 1

    While writing the answer I didn’t realize that I had edited the comment... Unfortunately, sending something to the user and hiding it from them are two conflicting objectives, I have nothing to suggest about it. The only way would be to use server-side encryption, but if you want the user himself to communicate with Facebook (calling the Graph API via Javascript in the browser) then at some point the user will have to have access to this token in the original form.

2 answers

5


Access credentials (passwords, keys, tokens) should never be stored in the source code (hardcoded) but to be part of a configuration file (i.e. data). I don’t know Jekyll, but a quick look at documentation suggests the file _config.yaml (you who are most familiar should know the most suitable location). The reason is simple: even if you can give your sources complete security, in the event of a breach (break/break/leak) you would have to modify the program to fix it - instead of tinkering with a single file.

As to keeping this access token confidential, I have some comments:

  • If you are using https, he must be well protected against interception (man-in-the-Middle). Even in the query string. In general it is not good to use confidential data in the query string (because they may end up in the server logs), but if it is inevitable at least it is protected by https.
  • If the access token is unique per user (i.e. each user can only misuse their own token) then there is no problem, but if a single token can affect multiple users you should not reveal it or them. After all, a single malicious user can compromise the security of all others.
    • The alternative would be to have a server-side script that would do the middle field between the client and Facebook. The token in this case would not leave the server.
  • All this assumes that you trust the hosting provider where your code is. If you don’t trust it, there’s just what to do about it.

3

Dude really is complicated... Because everyone can have access to your Javascript file so even if you "encrypt" will have to take out the encryption through some function or something of the kind to provide for Facebook. In that case the person could go in the function source code and do the reverse mode to take out the encryption.

Summarizing you will do a job that will not succeed.

An output and make a webservice where you access by your JS and from there you choose what can be accessed.

  • For this case can be used code obfuscation, which makes things very difficult.

  • @D.Melo Difficult how? It is not trivial to recover the token from the obfuscated code?

  • The code itself is ineligible, which makes it difficult to know where the token is. In fact, if it is in javascript it has no way to hide. Obfuscation would only make things difficult. Although the facebook URL is easy to find. p

Browser other questions tagged javascript cryptography facebook-graph-api

You are not signed in. Login or sign up in order to post.