Hacker News new | ask | show | jobs
by thrownaway2424 4446 days ago
It's shocking to me that baking "db creds" into a binary or configuration file is still so common that anyone would expect it to be true on a randomly selected server. Is this still the industry standard?
3 comments
dreamdu5t 4446 days ago
How else would you do it? If you use a configuration "service" the credentials to access the service must be baked in.
link
thrownaway2424 4446 days ago
Well, I can think of a couple of ways off the top of my head, that I'm sure will be shouted down for being simplistic:

1) ident protocol, or something similar. On the internet, it's a disaster, but for machines all owned by the same organization, it makes sense.

2) ssl client certificate. this can be hardened in various ways like having the certs expire every ten minutes etc.

link
enneff 4446 days ago
That's certainly not how we do it at Google.
link
fennecfoxen 4446 days ago
Sadly but truly!
link