Obfuscate stripe public key slightly to prevent trivial scraping

[rizend]

No description provided.

[marcidy]

@rizend I'd like to have this in sooner than later. What do you think the best approach is?

[rizend]

I don't think there's any "best" approach; it's kind of a cat and mouse game and may not end up working. Initially, to prevent people just using a regex, I would split the key into multiple pieces, encode it, and obfuscate the stripe api call. E.g. instead of var stripe = Stripe.setPublishableKey("Hello World!");; maybe var stripe = this[atob("U3Rya"+atob("WEJs"))][atob("YXNldFB1Ymxpc2hhYmxlS2V5").substr(1)](atob(["SGVs", "G8gV29y", atob("R1Fo")].join("b")));

[marcidy]

I see, but that's fine for me. I'm sure we just got auto-harvested.

…

On Thu, Aug 1, 2019 at 11:29 PM R ***@***.***> wrote: I don't think there's any "best" approach; it's kind of a cat and mouse game and may not end up working. Initially, to prevent people just using a regex, I would split the key into multiple pieces, encode it, and obfuscate the stripe api call. E.g. instead of var stripe = Stripe.setPublishableKey("Hello World!");; maybe var stripe = this[atob("U3Rya"+atob("WEJs"))][atob("YXNldFB1Ymxpc2hhYmxlS2V5").substr(1)](atob(["SGVs", "G8gV29y", atob("R1Fo")].join("b"))); — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#15?email_source=notifications&email_token=ABMTCQEFITUDKLNCN5F6OHLQCPH5XA5CNFSM4H22Y6G2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD3MYG6A#issuecomment-517571448>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABMTCQHMAQ4YLOBUPPHMB33QCPH5XANCNFSM4H22Y6GQ> .

[marcidy]

thinking about this a bit.

how about server-side i send a nonce

Then the templates can do something like
var stripe = Stripe.setPublishableKey(get_key(nonce))
and I then invalidate that nonce once it is retrieved which should be like almost immediately?

request page
generate nonce
send page data + nonce
get_key(nonce)
send key
invalidate nonce's ability to retrieve further keys

will get key still turn into the private key? I can do the server side stuff i just dont know javascript well. I can figure it out if there isn't a readily available solution to retrieve data from a thing.

e.g. a route could be automatically created (/"nonce value") which checks if it's ever been hit before, and if so, returns nothing
I can store the nonce values in the db to see if it had been used before, assuming i use a good enough PRSG which i guess /dev/urandom would suffice.

[marcidy]

I'm going to restart the discussion on the attackers on infrastructure repo. I think at a minimum we need fail2ban or similar no matter what. But it seems like they can just access the stripe front end values. Looking at the logs, I think the requests are being generated via the front-end on our servers, not just curl requests with the harvested public key. Was't clear last time since we didn't have ratchet logs.

[marcidy]

nonce thing implemented in #34 while pending reCaptcha and fail2ban. will lexically obfuscate after testing this method, as that will now be easier to do as well.