|
Discussion Forums
|
Thread: filicio.us and secret keys
 |
This question is answered.
|
|
|
|
Replies:
6
-
Pages:
1
-
Last Post:
Feb 11, 2009 12:33 PM
by: Daniel Drucker
|
|
|
Posts:
85
Registered:
3/19/06
|
|
|
|
filicio.us and secret keys
Posted:
May 7, 2006 2:53 PM PDT
|
|
|
filicio.us
, a file hosting service based on S3, operates in the following way:
1. Ask user for their Access Key ID and
Secret Access Key
2. create a bucket using the user's access key and secret key
3. grant filicio.us read/write access to said bucket
4. discard user's access key and secret key
5. perform all further operations using filicio.us's credentials
They seem to think that this is a great idea. On their "about" page (
http://filicio.us/s3/about ), they're basically telling their users "trust us with your secret key, we won't keep it/do anything with it".
This, to me, seems like the number-one S3 no-no. You should never have to give your secret key to anyone, and I think it needs to be made clear to service providers that this is the WRONG way to use S3.
Am I crazy, or is filicio.us doing something very dangerous here?
It seems to me that there should be some way of allowing the
user
to perform step 3, much in the way Flickr does. That is, something like the following:
1. user tries to sign up at filicio.us
2. filicio.us requests permissions for a bucket on your behalf
3. your browser is redirected to aws.amazon.com
4. you give permission
5. you are redirected back to filicio.us
This way, the service can operate without your secret key ever being shared.
|
|
Posts:
40
Registered:
3/27/06
|
|
|
|
Re: filicio.us and secret keys
Posted:
May 7, 2006 4:24 PM PDT
in response to: Daniel Drucker
|
 |
Helpful |
|
|
This is an egregious security failure.
There are a number of alternative mechanisms by which this could be avoided. They could, instead of asking for your secret key, ask for a properly formated request with an authentication signature. Such a signature could be derived by either a separate application that they develop (least prefereable), an application provided indpendent commerical third party (more preferable), or an application with source vetted by S3 developers (most prefereable).
|
|
Posts:
114
Registered:
2/10/06
|
|
|
|
Re: filicio.us and secret keys
Posted:
May 8, 2006 12:54 PM PDT
in response to: Michael Fisher
|
 |
Correct |
|
|
Hello,
We have seen flicio.us and, while the goal of the app is good, there are some security issues with the registration. We also recognize that this is an example of our developer community being creative in addressing use cases for which we do not yet offer good native support.
We are going to put together a small application to enable end-users to create a bucket and give another application permission to access their bucket. This application will be a stopgap until we have a longer-term (and more user friendly) mechanism in place.
thanks,
dave
|
|
Posts:
1
Registered:
5/8/06
|
|
|
|
Re: filicio.us and secret keys
Posted:
May 8, 2006 1:47 PM PDT
in response to: Daniel Drucker
|
|
|
First of all, I'll introduce myself as one of two developers at filicio.us and thank you guys for your interest.
I fully agree with Daniel (as we've emailed privately about) that us asking for secret keys is not an ideal situation. From the perspective of security I can assure that we're not storing the secret key so I wouldn't characterize it as dangerous, but I'd much prefer a flickr-like solution such as the one Daniel suggests. This would solve many of the security problem -- something that isn't really addressed by third-party programs suggested in the second thread. Filicio.us isn't alone in asking for secret keys though; plenty of S3 applications requires giving up the secret, and I see no real reason to trust desktop applications more than web services (at least when we're open about ourselves and who we are...).
I should also note that the current functioning of filicio.us is inhibiting our growth potential: Prospective users are reluctant to give over their secret keys, and it's a very complicated step to take for non-experienced users. Even if our service combined with S3 provides a good, cheap, and stable alternative to other file storage services. (This problem persists to some degree even with a signing mechanism, so we've also suggested adding means of tracking per-bucket usage. This would provide us with simple means of billing the non-experts ourselves and thus bringing down some of the complexity of signing up for filicio.us.)
|
|
Posts:
2
Registered:
4/26/06
|
|
|
|
Re: filicio.us and secret keys
Posted:
May 10, 2006 7:52 PM PDT
in response to: steffentchr
|
|
|
i think the problem stems from two lacking features in S3.
1) lack of ability to track usage per bucket/object.
2) limiting the number of buckets per account.
A third, less serious, but still annoying issue is the global nature of bucket names.
Without solving 1 and 2, a third party "vendor" will not be able to practically offer storage solutions based on S3 without asking for the end-user's account information.
|
|
Posts:
85
Registered:
3/19/06
|
|
|
|
Re: filicio.us and secret keys
Posted:
Aug 21, 2007 5:53 AM PDT
in response to: bizwiz4ever
|
|
|
More than a year later, filicio.us is still operating in this manner.
|
|
Posts:
85
Registered:
3/19/06
|
|
|
|
Re: filicio.us and secret keys
Posted:
Feb 11, 2009 12:33 PM PST
in response to: Daniel Drucker
|
|
|
I thought I'd point out that it's now been 3 years since this thread, and filicio.us is still doing this...
|
|
|
|
Sign in to the AWS Management Console
Create an AWS Account
