Thanks for the replies I though the answer was no. Vincent On Wed, May 5, 2010 at 7:48 PM, Tim Chase <python.l...@tim.thechases.com>wrote:
> On 05/05/2010 08:12 PM, Vincent Davis wrote: > >> I can't think of a way to do this, not sure it is possible but I feel as >> though I might not know what I don't know. >> >> I want to share and example of a python script, to run it needs a google >> username and password. Is there a way for me to encrypt my username and >> password in the source code? >> > > No-ish. You can encrypt it, but if you encrypt it, you need to include the > keys or algorithm for decrypting it, and all it takes is a pdb.set_trace() > before the decrypted uname/pwd get sent to Google to get it, and poof all > your encryption/decryption has been in vain: > > uname = SUPER_ENCRYPTED_USER > pwd = SUPER_ENCRYPTED_PASSWORD > u = secret_decrypt(uname) > p = secret_decrypt(pwd) > # regardless of how good the stuff above is > # you're vulnerable right here: > # print "%r %r" % (u, p) > do_google_stuff(u, p) > > Unless the Google API you're using allows for chain-of-authority creation > of sub-credentials (so your account creates secondary accounts that are then > distributed in your code/config files and managed via your dev login), two > possibilities that come to mind: > > 1) put in a bogus uname/password and make them get their own Google login > to put in (which can be done in a config file if they're squeamish about > editing source code) This assumes that any arbitrary Google login can grant > access to what you want (sometimes this is a developer key, in which case > the user would need to get their own dev key). > > 2) create a web-service on a server somewhere that has your credentials, > but your distributed code merely hits this web service instead of having > your actual credentials in the source (plain-text or encrypted). The server > would have them (I'd just put them in plain-text -- no need to be fancy. If > you can't trust your hosting service, don't use them) but you wouldn't > expose the credentials outside the application. > > -tkc > > > > > *Vincent Davis 720-301-3003 * vinc...@vincentdavis.net my blog <http://vincentdavis.net> | LinkedIn<http://www.linkedin.com/in/vincentdavis>
-- http://mail.python.org/mailman/listinfo/python-list
