Hacker News new | ask | show | jobs
by ccktlmazeltov 2086 days ago
> Both vulnerabilities (CVE-2020-16250/16251) were addressed by HashiCorp and are fixed in Vault versions 1.2.5, 1.3.8, 1.4.4 and 1.5.1 released in August.

I never understood why people use Vault. Putting all your secret in one place is just the best possible situation for an attacker.
4 comments
snoshy 2086 days ago
The alternative would be to scatter your secrets across several different stores, each of which would have their own security boundaries. In quite a lot of backend systems, you're only as strong as your weakest link. Now you're in a situation where you have to audit the attack surface of several different systems, so I'm not sure how Vault would be particularly worse at this task.

I would wager a larger portion of security incidents due to security products being harder to use correctly, and Vault is one of the cleaner and easier-to-use solutions in this regard, so I still think it's a step forward.

link
jiveturkey 2086 days ago
guess you don't get out much.

please describe your system and how it is universally better, at the scale at which Vault is designed to operate. (pricing starts at around $150k annually, as a proxy for scale where Vault matters)

link
GauntletWizard 2086 days ago
You got a bunch of downvotes, but I agree. Properly scoped secrets are scoped per team. There’s a significant management issue - But it scales with scope. Each team should be aware of all the teams it interacts with, both inbound and outbound, and manage their own tokens. Concentrating them all in one place with systems like Vault is pretty dangerous. You should use one tool across your company, but you should use many installations of that one tool.

What Vault can be good at is certificate generation or management of short-lived certificates; Using Vault to generate you temporary AWS credentials or certificates can be really powerful. Carefully scoping those, though, is not something I’ve seen most teams do.

link
ccktlmazeltov 2085 days ago
I think most people in this thread work in AWS or GCP and there it doesn't matter really because every thing is a blackbox that magically connects with other blackbox via magical identities.
link
merb 2086 days ago
we use vault for certificate generation
link