Author

Topic: API keys and How to handle its security (Read 58 times)

member
Activity: 147
Merit: 21
December 12, 2022, 09:45:36 AM
#1
Hey guys, here is an article summary about the security of API keys and how should a trading platform handle the API key security. You can find the source of the article here.

One important aspect of a trading platform is how it handles your API keys, which are used to connect your trading platform to your exchange account.

Is it safer to install the trading software on your PC or have it run in the cloud?

Installing software on your PC at home and whitelisting the IP, is only as secure as your home network. Those, mind you, are being breached orders of magnitude more often than cloud servers networks. Not to mention the potential of downloading and installing malicious software right off the bat.

So, the real question is how many and how strong “barriers” are between your API Key/Secret and a potential party with bad intentions?

Cloud servers are typically more secure than home networks, as they are subject to regular security audits and updates. Additionally, cloud-based software is generally easier to keep up-to-date and secure, as updates are managed by the cloud provider. However, it’s still important to choose a reputable cloud provider and to use best practices for securing your API keys, regardless of whether the software is running on your home PC or in the cloud.


How does cleo.finance(A trading platform) store API and Secret keys?

• Main servers manipulating any sensitive data are not visible to the outside network at all
• Your API key/secret is not stored in a single database but is stored in 3 different places, each with separate hardware and software security protections
    o The attacker would have to breach all 3 to get access to the Encrypted version of API key/secret – which wouldn’t help them all
• Those sensitive data are encrypted with arguably the most modern and secure 256-bit encryption protocol
    o Brute-force decrypting of the data from a single database with current technology would take longer than the age of our universe.
• cleo.finance cloud hardware is distributed and the software is up-to-date with the most recent security updates



What can I do to increase the security of my funds if I want to use third-party software?

1. Watch out for phishing schemes

To prevent and identify phishing scams, you should be cautious when clicking on links or opening attachments in emails, even if the email appears to be from a legitimate source. You should also be wary of providing personal information, such as passwords or credit card numbers, on unfamiliar websites.


2. Whitelisting IP addresses can help to increase the security of your funds when using any third-party software.

By limiting access to your exchange account only to known IP addresses, you can prevent a significant amount of unauthorized access attempts. However, for trading platforms serving thousands of users, such as cleo.finance, exposing the IP addresses of trading servers is a security and scalability issue on its own.


3. Allow only necessary access to your exchange account in the API key permission settings

You can grant read + trading access, which allows the platform to view your account information and execute trades but not withdraw funds. It’s important to never allow withdrawals, as this can leave your funds vulnerable to unauthorized access.




4. Limit the number of third-party services you use and use a different API key for each of them.

The more services you connect to your exchange account, the more potential vulnerabilities there are. By limiting the number of services you use, you can reduce the potential for unauthorized access to your account. Using different API keys for each of them can help figure out where the breach is coming from.


5. Regularly update your API keys


By deleting old API keys and creating new ones, you can ensure that your exchange account remains secure. This is particularly important if you suspect that one of your API keys has been compromised. By regularly updating your keys, you can prevent unauthorized access to your account and keep your funds safe.

Jump to: