Thursday, 21 December 2017

Client side email validation API integration

Learn why we don't support client side email validation


In this video our CEO answers the question we’re often asked...'Do you do client side integration?' He goes into detail to explain why we don’t do it, and why we think nobody else should either.




This ten minute video is aimed at people with technical skills, but clearly explains the commercial reasoning behind the topic that will be of interest to non-technical people; especially those involved with working out the procedures of how and where email validation should take place.

Listen to our CEO, Rowland O’Connor, as he reflects on old-school email validation technology that’s still being used and expands upon why you shouldn’t be using old engineering for your email validation. (Hint – it’s a security nightmare).

Rowland outlines what you should consider if you’re interested in integrating client side validation into your email validation process.

Watch  as he hacks straight into a client side validation product to illustrate his point.

Old engineering gives new fraud opportunities

Why is it such a security risk? Put simply, old engineering (circa 2009) continues to support email validation affiliates who are active in the market place. The end points haven’t changed, so we know exactly what's going on and we're in a great position to shine a light and discuss what happens on client side API integration. 

Fraudsters can pretend to be you, so you end up paying for emails they validate


When you sign up to an email validation service, you generally get allocated a quota, or a number of credits to validate emails. This means there’s a direct cost to you, as you pay for the emails you validate. It's not right that you should pay when someone hacks in and free-rides off your account.

There's something else to consider relating to fraud.  Back when we were first creating email validation systems email fraud was in its infancy. Now, personal data is available for sale for just a few dollars and the better the data, the more value it has. It's not just good guys who want to validate emails. We screen all our sign-ups to prevent people using our service to check stolen emails. If you're using a client side integration you could be opening the door for online thieves to scrub their stolen lists.

If you’re currently using a client side integration you might find it disturbing to follow Rowland as he walks through a demonstration of an API, how it works and how easy it is to hack. He also discusses licence keys, and how simple it can be to sidestep security and access email validation by spoofing a domain. He makes it look very easy. That’s because it is easy for anyone with a pretty basic technical level of expertise.

Once you’ve seen this video you’ll understand why we backed away from a client side approach. It’s very easy for people to rip you off. 


Technical users will enjoy watching at 5 minutes 43s...when the hack is shown


Rowland spoofs details to pretend that we’re using a domain which fools the API as he bypasses the access control that’s in place and bingo, he's accessing free email validation within moments.

What are the solutions to client side email checking?


If you’re wondering how to use an email validation API securely, check in at 8 minutes as Rowland considers three solutions in turn.

What are the solutions?
#1 token based integration -immensely complex and beyond a basic level of technical ability
#2 some sort of basic authentication – fairly complex, viable but far from simple
#3 server to server integration, which is what we do at Email Hippo

We feel strongly that client side integration for email validation APIs shouldn’t be used. It's a quick solution that brings many problems. There are wide-open security holes that can be exposed very easily.

We hope you find this video useful. 
If you’ve got any questions, please get in touch with comments here, via emailing [email protected] or contact us via twitter; @Email_Hippo





No comments:

Post a Comment

All posts are moderated to filter out link spam.