top | item 47164072

(no title)

ZiiS | 3 days ago

Unrestricted API keys were always secrets. They are created on a page called "Keys & Credentials". The fact that Google even allows unrestricted keys to be created has been a long standing security problem. The fact their docs encouraged it remains unforgivable.

discuss

ceejayoz|3 days ago

Public keys are a thing in computing, though?

Google Maps has one, even. And Stripe.

abustamam|3 days ago

It's been a while since I've used stripe but don't their keys start with sk_ for secret and pk_ for public?

I like that. Easy to tell if you should keep the key a secret or not.

ZiiS|3 days ago

I would like to restrict the term "Public keys" to refer to asymmetric encryption keys which can be made public without compromising security.

The only purpose of the keys Maps/Stripe encourage you to publicly put into your website is to guarantee it is talking to _your_ Google/Stripe account not someone else's. Obviously once you put them in your client they are of zero value in helping Google/Stripe identify you. The fact that Google allows you to use the same type of key they also use elsewhere to identify _you_ not _them_ was always incredibly bad design. Google already have the 'Project ID' which would have been the best thing to use.

abustamam|3 days ago

I can maybe understand unrestricted keys (OK, I can't, to be honest).

But the fact that permissions are not hardened at time of creation is bonkers to me.