Hello, world
So, we’re all really excited for the GW2 APIs to be up. As a gesture of my gratitude to the devs, I’d like to share some technical points to consider when working with with ’dem shiny new endpoints.
Note: There is a lot more to Internet security that is outside the purpose of this post. For a really in-depth look into HTTPS, see Apple’s TN2232
HTTPS vs. HTTP
At its very basic, HTTPS is your average HTTP protocol placed over a layer of encryption. Encryption is done through SSL/TLS.
When connecting to a server via HTTPS, the protocoal expects the server to eventually provide a public key certificate. This certificate contains identity information, which can be evaluated by the client to verify that the server is really who it says it is.
Taking the server’s word for it
But that’s just half of the story. Just because a server claims to be api.guildwars2.com, doesn’t mean you can just take its word for it. Rather, public key certificates rely on a chain of trust, wherein another authority vouches for the server’s identify.
Note: Humans have agreed to, and have put collective faith in, a select group of authorities. This is a (somewhat) manual process; this is what VeriSign is often known for.
How to break the Internet
I’m going to guess that a good way to undermine ArenaNets’ support & proliferation of a public REST API is to have 100s of community projects sharing code that talk to their service without any checks and balances.
Pinning your hopes, dreams, and cert
As an alternative to blindly tossing away any attempt at security a server will throw back at your client, there is something called cert pinning.
What is cert pinning? Well, remember when you were ten years old and you would make those soup can telephones? Unlike a normal telephone, these soup cans could only communicate across a single line, and the person you talked with was probably someone you knew physically. These soup cans established not only a secure connection, but a sort of specialized connection, across a single line of communication.
A popular iOS networking library, AFNetworking, does a really great job at explaining the benefits of cert pinning:
Relying on the CA trust model to validate SSL certificates exposes your app to security vulnerabilities, such as man-in-the-middle attacks. For applications that connect to known servers, SSL certificate pinning provides an increased level of security, by checking server certificate validity against those specified in the app bundle.
SSL with certificate pinning is strongly recommended for any application that transmits sensitive information to an external webservice.
Plus, it’s all the rage.
How to pin
If your preferred networking library doesn’t include cert pinning out-of-the-box, you can always hack it in to your project anyways. The site is a little slow, but this page has some pretty good examples for various platforms and languages.
end communication
