Hello, all! I am studying the docs for the v2.0 XML API, and just realized that it has no authentication.
In the v1 API, it looks like you can set the password for the API, but the system doesn’t actually appear to require that you provide the password anywhere else, so I’m not sure what this is for. In v2 meanwhile, it’s ambiguous whether the password is for the API or the web UI.
There needs to be encryption here, too. Since the risk is an attacker having access to the network, having only a password means the attacker just has to use a packet sniffer to get the password, which is trivial. A password alone is no more secure than an unprotected network: encryption is needed to prevent attackers sniffing the password. In other words, both a password and encryption are necessary, but neither by itself is sufficient. Both are needed.
So, I have 2 questions:
1. In the v2 API, will setting the password set the password for the web UI, or the API? If the API, when and how must the client supply the password to authenticate?
2. Will the v2 API be encrypted, such as with SSL/TLS?