Reading that new post on checking the requests from Amazon. Seems complicated. Amazon could just encrypt the hash with a key we upload to our account. Wouldn't that eliminate this idea of checking urls and pulling certs? Seems a provided secret simplifies a lot.
I understand they are trying to be secure and ensure that only the Amazon service can access the app we surface, otherwise someone else could access our services, do a denial of service attack, etc. (My day-job is an ethical hacker!) But, damn, it is a pain in the arse. I woke up this morning with an angry mail saying that my keys had been compromised (sloppy check-in) and that someone was wracking up $2500 worth of services. I was faced with a similar wall of complexity when I used Websphere Application Server. But, you know, there are some people that need that level of complexity and, really, you should be using WAS unless you have that sort of job to do. (This was before the Liberty profile.) I'm hitting the same thing with AWS. It's so freaking complicated that there's a huge bar of stuff to learn before you can get productive. I guess I steamed up the learning curve too quickly, made a mistake, and now it's going to take me days to get back to the point of being productive. I think they would built a development community a lot faster if they had more fast-track deployment choices. It's one thing to give a step-by-step guide, but when each bullet point is a link to another entire document (which itself has bullet point to other documents) it's not really making it any easier.
What I propose is no less secure. The contact our servers via https already, and by them providing a secret we simply upload, we know it's them. What they have in place is over complicated for no lore security imo.
Hi there, I'd suggest using AWS Lambda for hosting and running developer apps. The use of Lambda doesn't require SSL certification which is another option to simplify hosting Alexa Skills as an alternative to a HTTP web service hosted option. Thanks, Jamie
Don't forget my original idea though. Us uploading a server that echo sends our apps is a far simpler and no less secure approach. The current way is just overly complex with no security gain that I can see.