Collaborate Disseminate
CVE-2020-27838 describes that Keycloak has an open endpoint where it’s possible to obtain client_secret information, as shown in the example below:
/auth/realms/{realm}/clients-registrations/default/{client_id}
Through other discussions, … Continue reading Analyzing impact of leaked client_secret in Authorization Code Flow in Keycloak (CVE-2020-27838)
Is it okay to upload .env files containing client ID and client secret to elastic beanstalk? If not, what is the risk involved? How would one access those files?
I see why it is obviously bad to store a secret key and client ID in the source code for a web application. However, how do you go about the alternative? Surely, that information has to be stored somewhere. Is it stored in a local text fil… Continue reading What does it mean to store secret keys as an "environment variable" as opposed to hardcoded in the source code?
When I came to the topic of Ansible (Vault), when deploying secrets in Ansible and other passwords up to 128 characters Shamir’s Secret Sharing would be an ideal solution I think:
The secret is never in one spot
The secret can be encrypte… Continue reading Why don’t basically all "clusters" and similar distributed systems use Shamir’s secret sharing method? [migrated]
Is it unsafe to use environmental variables for secret data?
^^ according to that question and answers:
Environment variables are a poor (though perhaps passable, as per Forest’s comment) way to store secrets;
The preferred way is to use … Continue reading How to securely pass secrets if I’m deploying my app n the old school way, rather than using Docker, Heroku, cloud etc?
I’m constantly exchanging credentials with my clients for things like database servers, cloud accounts, etc. Neither I nor my clients, have time to implement a sophisticated method for secure transmission.
So far we’ve been relying on 2 ma… Continue reading Best method to send credentials to clients
I am trying integrate our service with SSO. I have generated the ClientID and ClientSecret.
Is it a good security practice to store the ClientID and ClientSecret as a configmap? If not, what are the alternatives for storing and using them?… Continue reading How to store ClientID and ClientSecret in a K8 Env
Background:
We have product development teams, where each team has one or two QA engineers. They run tests from their local machines. Here is what they require:
Application credentials (a clientId and a clientSecret), which enable them to… Continue reading What Criteria Should We Use to Determine What is and isn’t a Secret?
Any application can use a TPM chip to securely create and store cryptographic keys.
For example for Digital Rights Management (DRM) or for prevention of cheating in online games.
However, how can a TPM be sure of the identity of the proces… Continue reading How does a TPM verify the identity of the calling process/service?
One of the companies we’re working with is sharing their user’s database through a public Sharepoint link. While convenient, I’m worried that anyone on the internet can simply access the link (even though they shouldn’t know about it).
Am … Continue reading Is it safe to share sensitive data in a Sharepoint through a public link with third parties?