wyDay blog  |  Downloads  |  Buy
Support forum
wyDay blog
wyDay Home

wyDay blog

March 26th, 2019

Roughly a year ago we made a change to how the LimeLM web API functioned. We changed the behavior from allowing API calls to originate from any device anywhere in the world, to only allow 1 device to use an API key. We did this for security reasons, which I'll explain in-depth in a moment. But the side-effect was that this made our web API harder to use.

And we didn't make this change blindly. We knew that this change would both increase our customer's data security but it would do it at the expense of their ability to easily use our API.

Naturally, this caused outrage among some of our customers. Both because we made this change and because we made the change rapidly (over the course of about 2 weeks with short notice).

What our API does, and why we changed enforcement

LimeLM is our software licensing product. Companies integrate our components and libraries into their software so they can sell their software accurately to their end-customers. After a company integrates our components into their software, the typical workflow looks something like this:

  1. An end-customer buys the software from the company.

  2. The company sends them a product key.

  3. The end-customer activates the software to that device using that product key. (Locking it to the device).

None of those steps requires using the LimeLM web API, but you could use the web API in step 2 to automate the product key generation.

Since the launch of LimeLM about a decade ago we've always told customers to treat the LimeLM API key as a password and never embed the key in any apps or client-side JavaScript. We started with a big warning directly under the API key on the settings page (which is still there), and more recently we've added a full article devoted to account security.

Needless to say, many customers outright ignored this advice. Some were just careless with their API key and included them in public repositories and scripts accessible from outside their companies. Some just deliberately ignored our advice and embedded their web API key directly inside their apps that they gave to their customers. Thereby giving everyone with access to their app-binary access to their LimeLM account.

Enforcing the rule: limiting API keys to a single IP address

The proverbial straw that broke the camel's back for this whole situation was when we saw unusually high web API usage from a particular web API key. It turns out this customer (a large software company) had embedded their web API key directly in their app. We investigated the abnormal API key-usage and saw that the key was being used from all over the world. It didn't look like this customer's data was being leaked, but there was so much noise in the data that we could not tell.

We immediately told them what we saw, re-iterated that a web API key should never be embedded inside code that runs on the end-user's computer, and we invalidated that API key.

Then we kept digging. And over a short period of time we saw some of our other customers making the same mistake. We notified them as well, blocked those API keys, and quickly implemented a 1-ip address per API key rule. And that's where we've been for the past year or so.

A slightly more flexible future

In the near future (after we get out some higher-priority releases) we're going to make the web API key usage slightly more flexible. Namely, we'll allow an API key to be used from 3 to 4 IP addresses in the period of 72 hours. Meaning if you have a small pool of servers that uses static IP addresses this upcoming change will make things easier for you.

In the meantime these customers can create a new user (and thus new web API key) for every separate static IP address they need to use.

We will never allow more than a handful of IP addresses to use any single web API key. Some have requested we enable a range of IPs that include whole services (e.g. AWS). We will never do that. All modern services offer static IP addresses for all of their services. Even so-called "serverless" servers (like AWS lambda or Azure cloud functions) have options to use static IP addresses. Google the particulars for your web-host of choice.

In the coming months we'll make a few separate product announcements that will eliminate the need for most common web API calls in the first place. Thus eliminating these problems (and the need for separate servers) altogether. These solutions will be rolled out gradually.

Why do we care?

Why do we bother implementing any limit at all? It pisses-off some of our customers and it scares away other customers. The reason we do it is simple: we're responsible for your customers' data. Yes, these people are not our customers. But their data is in our servers and we need to ensure that that data is only transmitted to trusted end-points. By limiting API calls from a select number of IP addresses this forces you, as our customer, to consider your customers' data safety and to properly implement data collection and transmittal.

Or, to put it another way: we actually take security seriously. So rather than implementing terrible security and writing a tepid PR-apology when data leaks, we're proactive and go out of our way to ensure data doesn't leak. It's hard work and it sometimes requires usability trade-offs, but it's what a serious software company should do. Namely, take data security seriously in the first place.

It's not a perfect solution, but it's a better solution than telling our customers to do things correctly (and hope & pray they do). How do we know? Because we tried that and a large number of our customers ignored us.

If you have questions, comments, or complaints about this policy shift, then feel free to comment down below.

- Wyatt O'Day
Founder & CEO of wyDay

Subscribe to our blog's RSS Feed or follow Wyatt (CEO of wyDay) on Mastodon (@wyatt@hachyderm.io) to keep up-to-date with our latest posts.