WebFaction
Community site: login faq

Investigating use of the Webfaction API, I was stunned to see that it requires storing the control panel password in clear text. I've read a few justifications as to why this would be ok e.g. the entire server would have had to be compromised. Who's to say a future exploit through one unpatched webapp wouldn't allow someone to read your cron table or home directory?

Could Webfaction instead look into making the API more secure by implementing a way to generate application keys for use with the API? Google does something similar. A long lived key can be generated that can be passed to the login method instead of username and password.

Additionally, each key could be locked down to access only a subset of the API functionality. Even if a key to (say) update certificates was compromised, it couldn't be used to delete apps or create additional users.

asked 10 Jan, 02:38

jamesbeard's gravatar image

jamesbeard
412
accept rate: 0%

These are certainly great ideas and something which would improve the security and usability of the API.

The current version of the API isn't currently structured in a way that would make modular permissions on specific functions feasible. However, I've created an internal ticket for both ideas and passed it along to the development team for consideration. Thanks!

(10 Jan, 08:15) ryans ♦♦ ryans's gravatar image

Plus one on this.

Thanks for the API, it's a major step forward in an area where WebFaction was falling behind.

However, I too would welcome more functionality.

I find myself in the position of still needing to use a third-party utility (LetsEncrypt-Webfaction) to generate the certs, just like before the API appeared. With the API, that utility is now more sophisticated and installs the certs itself, yet for me, as an end-user, little has changed.

While the API has reduced the work of WebFaction Support (who no longer need to install certificates) it hasn't automated anything for the security-conscious end user -- they still need to use a third-party utility to generate the certs and cannot automate this without reducing security by leaving plain-text passwords lying around on the server.

It would be great if the API could be leveraged to give the end-user the extra benefit of secure automation through this suggestion. Think of the development effort as a trade-off for the reduced workload you now have in installing certs :-)

(31 Jan, 21:14) JustAnotherW... JustAnotherWebFactionUser's gravatar image

+1 On this too. That would be great, instead of having plain password appeared inside a file.

I asked the same question a month ago.

(01 Feb, 07:44) nik nik's gravatar image
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×73
×68

question asked: 10 Jan, 02:38

question was seen: 723 times

last updated: 01 Feb, 07:44

WEBFACTION
REACH US
SUPPORT
AFFILIATE PROGRAM
LEGAL
© COPYRIGHT 2003-2016 SWARMA LIMITED - WEBFACTION IS A SERVICE OF SWARMA LIMITED
REGISTERED IN ENGLAND AND WALES 5729350 - VAT REGISTRATION NUMBER 877397162
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM