predictionio-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gustavo Frederico <gustavo.freder...@thinkwrap.com>
Subject Re: Existing javascript SDK for predicitonIO (0.10) ?
Date Mon, 10 Apr 2017 15:55:56 GMT
I understand the concern. I suppose back-end integration will be more
expensive in general, and that can also be taken into account. Chapter 25
of the Recommender System Handbook edited by Ricci, Rokach, Shapira and
Kantor is about security. I didn't have a chance to read it yet.

Gustavo


On Mon, Apr 10, 2017 at 11:50 AM, Pat Ferrel <pat@occamsmachete.com> wrote:

> Yes, this will limit what the malicious agent can do. They can only write
> certain spurious event types to your EventServer. So basically anything the
> client can write, a malicious agent can write. We rely on this being highly
> unlikely. It is a type of “security by obscurity”
>
> When using PIO from an application server there is no way for a malicious
> agent to get your access key and the client does not need to provide it,
> only your app server. So I always recommend this approach where possible.
>
>
> On Apr 10, 2017, at 8:32 AM, Donald Szeto <donald@apache.org> wrote:
>
> You can also create access keys for existing apps that have write
> permissions to certain event names only. It is useful for client side event
> collection, and is how some major analytics vendor JS SDKs limit client
> side keys from polluting your event log.
>
> Please take a look at `pio help accesskey` for details.
>
> On Mon, Apr 10, 2017 at 8:13 AM Pat Ferrel <pat@occamsmachete.com> wrote:
>
>> using Javascript from the client is a problem because you will make it
>> possible for some malicious agent to see your access key by examining your
>> client code. Although PIO support SSL it does not have an authentication
>> mechanism so a malicious agent could use this access key to screw up your
>> data.
>>
>> It is only safe to have PredictionIO accessed from a trusted application
>> server, not a client. So though there may be android (Java), iOS, and
>> Javascript SDKs please be aware of the security implications of connecting
>> from mobile devices or browsers.
>>
>>
>>
>> On Apr 10, 2017, at 5:43 AM, Mohamed Zouga <mohamed@wizacha.com> wrote:
>>
>> This code seems as a good start indeed, is this somewhere on GitHub ? so
>> i could put some additional stuff or even some modifications !
>>
>> 2017-04-10 14:32 GMT+02:00 Gustavo Frederico <gustavo.frederico@
>> thinkwrap.com>:
>>
>> You can use this as a starting point.
>>
>> Gustavo
>>
>> [...]

Mime
View raw message