

Ask HN: Am I paranoid or is Mailchimp lax about API security? - eliot_sykes

I'm using Mailchimp's API and found that the api key is transmitted over HTTP for many accounts. For example, the accounts that use the WordPress plugin Mailchimp distributes.<p>The api key gives you access to all mailing lists in that account.<p>I mentioned this to Mailchimp as a security concern, but their representative didn't seem worried.<p>I'll be using SSL, however am I being paranoid, is this just not something to lose sleep over?<p>For more background, here's the discussion I had with Mailchimp support:
http://groups.google.com/group/mailchimp-api-discuss/browse_thread/thread/a868a0f48e309930/7886904dd01ad640
======
ntulip
The API Key/Access Information should be kept secret. At a minimum I can get
some account, campaign information, etc. No private information like Credit
Card numbers is available.

~~~
eliot_sykes
With the API key, my understanding is you can use the API to access all the
email addresses and customer names on that accounts mailing list(s), which for
some companies is one of their most prized assets.

------
eliot_sykes
Clickable, shortened link: <http://bit.ly/cvck2Z>

------
pinksoda
I wouldn't worry about it.

Traffic sniffing is mostly a concern for computers connected to public
wireless networks. A linux machine, in a datacenter, connected via an ethernet
cable doesn't have much to worry about.

~~~
blueben
This is incredibly bad advice. Do you know who has access to your datacenter?
Who has access to plug devices into the switch that your server lives on? Does
your network provider regularly audit their gear to make sure it hasn't been
compromised? How do you know?

If you think traffic sniffing is "just for wifi", you're out of your mind.

~~~
eliot_sykes
Thanks for providing an alternative view, I'm going to be using SSL for sure.
The more I think about it, the more I'm amazed that Mailchimp don't make a
bigger deal of getting people to use SSL.

