Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
What are the security implications of storing your keys (app_cert.pem,app_key.pem, paypal.pem), which are used to encrypt/sign your paypal transactions, in VCS? I’m thinking that someone who has the certificate and my database primary key will be able to mark a purchase as paid. That’s the worst that can happen, right?
The biggest danger is in who has access to the source control. If the developers that have access to the source control are already allowed to have acccess to the keys, then there is no additional risk as long as the source control is locked down so that only authorized users have access.
If you allow anonymous read access to the repository, then someone else can get your keys, which may be helpful to a dedicated attacker. Perhaps they’ll know how to do something with it that we wouldn’t think of.
Never underestimate the ingenuity of someone who has the skill and the lack of scruples, and the motivation of an easy payday.
Personally, I wouldn’t put them in source control. I’d protect them as if they were my own SSN and bank info.
Even if your repo is locked down tight now, you don’t know what will change in the future. It would be too easy for some future developer to start collaborating with an outside vendor, for example, and grant read-only access, not thinking that they’re exposing such sensitive info.