An important part of creating a future where digital trust is embedded into business practices is creating tools to strengthen secure communication across systems and applications.

Part of this effort for our products at MATTR includes implementing standards that make our API communications more secure. We recently announced that we’re introducing the use of HTTP message signatures to our flagship MATTR VII platform, which enhance data security and make the interactions between different parties on the web safer.

We also champion open and interoperable standards across the internet and web applications in our mission to make a safer internet for all. To aid both our customers and others in the community in this, we’ve made our HTTP Signatures library fully open-sourced and publicly accessible.

HTTP message signatures

Hypertext Transfer Protocol, more commonly known as HTTP, is a core technology that underpins the internet. As it enables global systems to communicate with each other, it’s critical to secure HTTP messages as much as possible.

Much like an artist’s signature on a painting in the real world, a digital signature assures a verifying party that information:

• has integrity – it hasn’t been tampered with.
• originated from an authentic source – it’s from where it says it’s from.

HTTP message signatures apply the power of digital signatures to HTTP, providing integrity and origin authenticity properties to the message or request.

Other digital security methods like OAuth and shared secrets, used to implement authentication and access control on APIs and web applications, require a round-trip to confirm the client. The HTTP Signatures scheme doesn’t. The integrity of a message sent can be verified independently and directly by the receiver and both parties can be confident that information has not been tampered with.

The use of HTTP message signatures is currently a draft standard incubating at the Internet Engineering Task Force (IETF) – read the draft standard on the IETF website. If the draft is progressed to a finalised standard, this technology could become more commonly utilised across applications.

HTTP signatures have broader benefits for the community. There are various use cases where security features can be applied to different kinds of interactions. Examples include:

• Authorising access to a secure storage backend
• Filtering spam and other messages sent to a communication endpoint
• Allowing ecosystems to authenticate access to permissioned APIs
• And many more

How we use HTTP message signatures with webhooks

Within our MATTR VII platform, we’re using HTTP message signatures to help customers verify the authenticity and integrity of webhooks sent by the platform. A webhook is a standard design pattern that enables a party to "subscribe" to one or more events on a system by supplying a callback URL. The URL is used to communicate with another party when a certain condition or event occurs.

With a “publish and subscribe” model, MATTR VII customers can be set up to be notified that the specific event has been triggered, such as a credential issuance events or configuration updates –they then use those to take further action based on business needs.

What HTTP message signatures do for webhooks

Using webhooks on the MATTR VII platform requires customers to set up an endpoint to receive information, and that endpoint must be open to the public internet.

Because of this, there needs to be a way for the subscribed system to authenticate that the request is coming from MATTR VII and that the request is valid and not being spoofed, intercepted or modified in any way by malicious actors.

We sign the outbound webhook events with HTTP message signatures so our customers can safely call MATTR VII APIs from webhooks, and any subscriber can confidently verify the received requests are coming from us.

HTTP message signatures provide an easy and scalable way for our customers to authenticate messages or requests from our platform. The same pattern can be used to provide authenticity for any kind of web interaction or event trigger.

Leverage the technology for your own implementations

The application of the HTTP Signatures library in the context of webhooks is one of many implementation examples.

Broader implementation of the HTTP message signatures scheme will lead to more secure digital interactions and a safer internet for all, so we have open-sourced our HTTP Signatures library for both MATTR customers and for the community at large.

The library is permissively open-source, and we believe it will help the community establish higher levels of security between web services and applications.

Open-sourcing the library also encourages interoperability and integration with the MATTR VII platform, making it more accessible for businesses of all shapes and sizes.

Get started

It’s easy to get started today. You can:

• Access the open-source HTTP Signatures library on GitHub
• Check out the HTTP Signatures NPM package for easier integration
• See an example implementation of how to verify a webhook that was generated by MATTR VII

This article was originally published on Medium.