ID:1830955
 
I've decided to alter a "plugin" I've made for BYOND and altered some things to work more like an API.

Here is a snippet for testing. Of course the "Plugin" is faster since it's on your system, but you can use the "API" in anything without the plugin.


Example:

#define API_KEY "4lvx237efi923x120"

#define API_PROTOCOL "byond://"
#define API_URL "208.73.201.205"
#define API_PORT "1"
#define API_CONNECTION API_PROTOCOL+API_URL+":"+API_PORT
#define API_EXECUTE(API_PARAMS) world.Export(text("[]?[]&apikey=[]",API_CONNECTION,API_PARAMS,API_KEY))

proc
SHA1() return API_EXECUTE("action=encrypt&method=sha1&string=[url_encode(args[1])]")
SHA224() return API_EXECUTE("action=encrypt&method=sha224&string=[url_encode(args[1])]")
SHA256() return API_EXECUTE("action=encrypt&method=sha256&string=[url_encode(args[1])]")
SHA384() return API_EXECUTE("action=encrypt&method=sha384&string=[url_encode(args[1])]")
SHA512() return API_EXECUTE("action=encrypt&method=sha512&string=[url_encode(args[1])]")

mob/verb/Test()
src<<SHA1("sha1")
src<<SHA224("sha224")
src<<SHA256("sha256")
src<<SHA384("sha384")
src<<SHA512("sha512")

mob/verb/Check_Usage()
var/uses=API_EXECUTE("action=checkusage")
src<<"This API has been called [uses] times for your api key!"


Since this communicates with a remote server and gets a return value, the API is a bit more slower.

The remote server has all the plugin's required so the snippet is just plug n' play like stuff.
GatewayRa wrote:
The second concern is security. There's no secure connection being established. People would also have to trust you not to log the information being sent.

Even if I logged the information, it would be sent only from an address that the world is hosted at.

At most, I get nothing out of it. If the string "a golden goblin" was parsed, all I'll get is the hash for it since it's the only value being passed through. Not much to go off of on this.


Only security concern would be for people towards the developers using the API, since they can manipulate whatever data they get, my end is totally clear.
GatewayRa wrote:
The second concern is security. There's no secure connection being established.

That would be a limitation on BYONDs part not OPs..
Overall, a .dll handles the request on a remote server and sends back the hash.


Plugin Approach:  
> String Entered
> String Passed through .dll
> .dll returns hash
> display hash in BYOND

API Approach:
> String Entered
> String Passed through Export()
> String picked up through Topic() on remote server
> Remote Server passes string through .dll
> .dll returns string back to Remote Server
> Remote server returns string back to calling server
> Calling/Original server displays hash
I'm curious why you'd use another remote server for the API approach. If you're trying to avoid using a dll, you could just grab the data from a php script.

i.e. https://www.immortal-phoenix.com/scripts/ hash.php?q=sha256&string=hash_me

It just seems troublesome to rely on a remote BYOND server for this. I'd rather use a dll or pass as a query string like this. I'd imagine javascript is another option, although less reliable.

Just curious as to why you did it that way is all. I'm in no way an expert by any means.
In response to Lavitiz
Lavitiz wrote:
I'm curious why you'd use another remote server for the API approach. If you're trying to avoid using a dll, you could just grab the data from a php script.

i.e. https://www.immortal-phoenix.com/scripts/ hash.php?q=sha256&string=hash_me

It just seems troublesome to rely on a remote BYOND server for this. I'd rather use a dll or pass as a query string like this. I'd imagine javascript is another option, although less reliable.

Just curious as to why you did it that way is all. I'm in no way an expert by any means.

I'm also not an expert on the subject but I'd think javascript is better because it's local, I don't see why it would be less reliable.

I also don't exactly understand how we can trust anyone with hashes, you run the code or the API but the actual DLL is hidden to you, for all you know it's logging all the strings sent to the API.

It beats the purpose of using 'secure' hashes if there's any risks at all.

I really don't understand why it can't be as simple and transparent as this library which also includes the source code of the attached dll.
Javascript sounds like the best option in my opinion, however you'd run into problems if for whatever reason javascript is disabled.
GatewayRa wrote:
Having the value fetched client-sided via javascript would probably open a full door of exploits.

I didn't even consider what could happen due to js being client side. ATHK mentioned this to me earlier.

Sounds like using your own DLL is the best option. The library Rotem linked works well and is open source.

I do have another question though. If I sent a raw password string to a web server to have it hashed, and I have a SSL cert installed and configured properly, can anyone see the data being sent? Is that not safe at all due to the fact that it's simply transmitted over the internet without being hashed before-hand?

Do not send plain-text over HTTP to hash it.
Do not use an unreputable cryptography library that you didn't compile yourself.

And Ssj4justdale, still waiting on that source release for your Crypto SHA library.
GatewayRa wrote:
he wouldn't even have needed a dll in the first place, because he'd have known the algorithm enough to implement it inside of DM.

No hashing cryptography that is designed to take CPU time should be written in DM as it'd add needlessly to CPU cycles required to make said hash.

His HTTP API is bad, and a closed source DLL is bad, but I certainly wouldn't mind a nice opensource DM wrapper library for Crypto++ or w/e other crypto library.