September 30, 2024 at 05:51PM
Microsoft has introduced an updated version of the “Publish API for Edge extension developers,” increasing security for developer accounts and extension updates. As part of its Secure Future Initiative, the company is enhancing security by generating dynamic API keys, storing them as hashes, and expiring keys more frequently. The new process is currently optional but may become mandatory in the future.
Meeting Notes Takeaways:
1. Microsoft has introduced an updated version of the “Publish API for Edge extension developers” to increase security for developer accounts and updating browser extensions.
2. For new Edge browser extension publishing, developers must submit through the Partner Center and subsequent updates can be done through the Partner Center or the Publish API.
3. The Secure Future Initiative aims to increase security across all product groups, including the browser extension publishing process to prevent hijacking with malicious code.
4. The new Publish API dynamically generates API keys to reduce the risk of static credentials being exposed in code or breaches.
5. API keys will now be stored in Microsoft’s databases as hashes rather than the keys themselves to prevent possible leaking.
6. Access token URLs will be internally generated, improving security by limiting additional risks of exposing URLs for malicious extension updates.
7. API keys will expire every 72 days, compared to the previous two years, to prevent continued misuse in case of exposure.
8. Edge developers can try the new API key management experience in their Partner Center dashboard and will need to regenerate their ClientId and secrets for existing CI/CD pipelines.
9. Microsoft acknowledges the common targeting of software developers in phishing and information-stealing attacks and encourages transitioning to the new, more secure experience at an individual pace.
10. The updated Publish API is currently optional but may become mandatory in the future and the security enhancements aim to protect extensions and improve the publishing process.
These takeaways summarize the key points discussed in the meeting notes regarding Microsoft’s updated “Publish API for Edge extension developers” and its focus on enhancing security measures.