Yes the incident is human error, but it reflects poor OPSEC - considering how big GitHub is, how difficult would it be to store their private keys only on Yubikeys or similar airgrapped devices instead of having them stored in plaintext where they can be accidentally copy/pasted? This is literally OPSEC 101 and these guys are owned by one of the biggest tech companies in the world. What else are they dropping the ball on?
Fair play on the backwards compatibility - missed that they also have ECDSA and EdDSA keys as well.
RSA is old (literally from 1977!), slow (because huge keys are required to make it non-trivial to brute force), and overall less secure than modern elliptic curve cryptography.
As I said though, I missed that they also have EdDSA and ECDSA keys when I skimmed the article during my lunch break. Since the RSA key is only for backwards compatibility it isn't an issue. Thank you for pointing that out to me.
At least they updated the key within a few days? Still, that's pretty embarrassing to post their private key in a public repo
They only said when they discovered the leak. Not when the leak started.
That is a great clarification!
GitHub is a humungous liability for the whole internet. Every project needs to now consider alternatives.
deleted by author
I want to switch from gitolite to soft-serve in the near future.
Do you have any experience with it?
Still using RSA in 2023 as well lol.
EdDSA ftw.
Backwards compatibility.
They mentioned their ECDSA and ED25519 key are not affected so they also use them.
Also, this incident has nothing to do with RSA. Could have happened with ECDSA and ED25519, too, no?
Yes the incident is human error, but it reflects poor OPSEC - considering how big GitHub is, how difficult would it be to store their private keys only on Yubikeys or similar airgrapped devices instead of having them stored in plaintext where they can be accidentally copy/pasted? This is literally OPSEC 101 and these guys are owned by one of the biggest tech companies in the world. What else are they dropping the ball on?
Fair play on the backwards compatibility - missed that they also have ECDSA and EdDSA keys as well.
I totally agree with you. I just didn't get what RSA has to do with this lol
RSA is old (literally from 1977!), slow (because huge keys are required to make it non-trivial to brute force), and overall less secure than modern elliptic curve cryptography.
As I said though, I missed that they also have EdDSA and ECDSA keys when I skimmed the article during my lunch break. Since the RSA key is only for backwards compatibility it isn't an issue. Thank you for pointing that out to me.
Internet archive link here also - https://web.archive.org/web/20230324071940/https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
Hey, I posted this before you xD
#156121
No worries though, just wanted point out how timing is sometimes relevant which post gets upvotes, lol
Hmm… I thought SN checks for duplicates before posting the url 🤔
It does but it doesn't prevent duplicates.
Maybe you clicked on "post" too fast since it takes 1-2 seconds to load the duplicates?
https://i.postimg.cc/T2VrV576/2023-03-24-163434-743x395-scrot.png
I think that might be it. Given was posting from mobile 🤦♂️ My bad
/cc @k00b
might be useful to disable posting until duplicates are loaded (or a timeout is reached)
@cointastical has been asking for this for a long time. I'm open to it if the UX can be made good.
I'll see what I can do. Shouldn't require a lot of changes
Cool I'll send you some sats for it
Again, no worries! Happens, haha