Skip to content
This repository has been archived by the owner on Apr 3, 2022. It is now read-only.

1.4.4 Personal API keys
Compare
Choose a tag to compare
@Stekeblad Stekeblad released this 22 May 10:53
· 7 commits to master since this release
1.4.4
05f8c0a

For a couple of reasons, detailed below, will all releases before this one stop working against YouTube and all users will need to create their own API key for accessing YouTube through Stekeblads Video Uploader. (Not anymore, see edit at the end of this post) This change will take effect around the weekend 12-13 June 2021. (Exact time will depend on timezones and how fast Google's systems propagate the changes around the world.) Click here to view the wiki article about creating an API key

I have been thinking for some time that the API-key Stekeblads Video Uploader uses is not secured as well as I want it to be but I have not been able to figure out how to secure it in a way that works with how I want Stekeblads Video Uploader to be. The "best" way to secure the API key I can think of would be move much of the work from the application to a server I control and require all users to sign up for an account. I do not like that solution and here is the two biggest reasons:

  • I do not want your data. What is your channel name? What videos do you upload? I do not want to know that! I do not want to be responsible for any personal information if I can avoid it. By requiring all YouTube stuff to pass through a server I control I must collect and process personal information that I currently do not have.
  • Having all videos that will be uploaded passing by a server I control will be expensive. I do not make any money from Stekeblads Video Uploader. It would also be a big throttle if the number of users uploading increases without proportional scaling on the server side and a lot of work managing the servers. How much traffic am I talking about? Terabytes, maybe closer to Petabytes every day. During the last 30 days almost 400 000 videos was uploaded using Stekeblads Video Uploader! That's amazing we could reach that high!

Then someone opened a security-related issue I had to do something, I do not know if its a problem in Stekeblads Video Uploader or the bad guys just (ab)used Stekeblads Video Uploader to do their things easier. But its a part in the decision.

Recently I also noticed that the API key used by Stekeblads Video Uploader is being used by someone else without permission to attempt livestreaming to YouTube in the usage statistics provided by the Google Cloud Console. This is not OK and is another reason I had to either disable the API key or secure it and regenerate it. I did not figure how to secure it properly.

While this means there is now a step extra to climb before you can use Stekeblads Video Uploader it can now be used without me being able to see anything at all about how the program is used. The source code is all open here on GitHub and with the support to now use your own API you can now be in full control. If you do not want to trust the built releases you can clone the code, go through it, build it your self and add your API key. But please, do not redistribute my releases or the once you build yourself. Write your own program and distribute it instead.

Edit: After much investigation all I can find points to what I have done has been correct and I have decided to partially revert this update. All prior versions will still stop working around the weekend 12-13 June but during that weekend will also version 1.4.5 be released adding back support for the Stekeblads Video Uploader-key but still keeping the option to use your own API key.

Assets 3
Loading