Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
toomuchtodo 15 hours ago

Great write up. Reminder that if you commit these to a Github Gist and the provider partners with GitHub for secrets scanning, they’ll rapidly be invalidated.

pwdisswordfishy 14 hours ago | parent [-]

That's just a tautology.

"If the secrets issuer partners with X-corp for secret scanning so that secrets get invalidated when you X them, then when you X them the secrets will be invalidated".

The above is a true statement for all X.

nightpool 14 hours ago | parent | next [-]

? Yes? Toomuchtodo is reminding the author (and other commenters), that github gists are one way to make sure secrets are secured / remediated before making a public post like this. Maybe not the most responsible whitehat action, but I can see it being useful in some cases where outreach is impractical / has failed.

Unfortunately, it doesn't look like Algolia has implemented this

TurdF3rguson 13 hours ago | parent [-]

I'm not following this at all. It seems like OP is saying if you share a secret in your (private?) gist and give Algolia permission to read the gist, they will invalidate it. But why would the secret be in a gist and not a repo? Also if you're aware enough to add that partner it seems you're aware to not do dumb things like that in the first place.

richbell 13 hours ago | parent | next [-]

If you find an exposed token in the wild, for a service supported by GitHub Secret Scanning, uploading it to a Gist will either immediately revoke it or notify the owner.

TurdF3rguson 12 hours ago | parent [-]

Ok I see, so any public gist with an algolia key in it will get invalidated? And it would have to follow some pattern like ALGOLIA_KEY=xxx ?

13 hours ago | parent | prev [-]
[deleted]
wat10000 14 hours ago | parent | prev | next [-]

English is not formal logic.

In formal logic, that statement is true whether X is GitHub, or Lockheed-Martin, Safeway, or the local hardware store.

In English, the statement serves to inform (or remind) you that GitHub has a secret scanning program that many providers actually do partner with.

pwdisswordfishy 13 hours ago | parent [-]

Yes, and in the real world where Grice's Maxim of Relevance is in force, then when the secrets issuer that is the subject of the discussion isn't one of those partners, then an informative "reminder" that GitHub "has a secret scanning program" with a bunch of other partners is not actually informative. It's as superfluous and unhelpful as calling to let someone know you're not interested in the item they've posted for sale on Craiglist (<https://www.youtube.com/watch?v=xWG3jKzKcm8>).

wat10000 13 hours ago | parent | next [-]

It's more useful than telling someone that their statement is a tautology in formal logic.

richbell 13 hours ago | parent | prev [-]

How is reminding people that they can safely revoke exposed API keys not informative? Why are you being so combative?

14 hours ago | parent | prev [-]
[deleted]