GitHub.com posted their RSA SSH key for the world to see - BEWAREgithub.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
1530 sats \ 22 comments \ @davidw 24 Mar 2023 bitcoin
write
preview
related posts
416 sats \ 5 replies \ @WeAreAllSatoshi 24 Mar 2023
At least they updated the key within a few days? Still, that's pretty embarrassing to post their private key in a public repo
reply
70 sats \ 2 replies \ @davidw OP 24 Mar 2023
GitHub is a humungous liability for the whole internet. Every project needs to now consider alternatives.
reply
50 sats \ 1 reply \ @deleted231216 24 Mar 2023
Gitea is nice, open source and self-hostable (especially if you already have a VPS for your project). It's also possible to mirror or backup Github/Gitlab repos. AFAIK Gitea is working on a federation feature, so you could browse all federated repos (improves discoverability) and commit with a single sign-on.
Codeberg.org is a public registration Gitea instance (also offers a similar service to Github Pages for static websites). HackLiberty.org also operates a Gitea instance.
Otherwise there is a bounty for an implementation of Git on Nostr: https://bountsr.org/nostr-based-github/ Some projects here: https://makers.bolt.fun/project/git-nostr and https://makers.bolt.fun/project/nostrya
reply
0 sats \ 0 replies \ @ek 24 Mar 2023
I want to switch from gitolite to soft-serve in the near future. Do you have any experience with it?
reply
122 sats \ 1 reply \ @ek 24 Mar 2023
This week, we discovered that GitHub.com’s RSA SSH private key was briefly exposed in a public GitHub repository.
They only said when they discovered the leak. Not when the leak started.
reply
0 sats \ 0 replies \ @WeAreAllSatoshi 24 Mar 2023
That is a great clarification!
reply
295 sats \ 0 replies \ @davidw OP 24 Mar 2023
  • At approximately 05:00 UTC on March 24, out of an “abundance of caution” we replaced our RSA SSH host key used to secure Git operations for GitHub.com
  • The exposure was the result of what we believe to be an inadvertent publishing of private information
  • We have no reason to believe that the private key was abused (yet!)
Internet archive link here also - https://web.archive.org/web/20230324071940/https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
reply
359 sats \ 4 replies \ @xanny 24 Mar 2023
Still using RSA in 2023 as well lol.
EdDSA ftw.
reply
0 sats \ 3 replies \ @ek 24 Mar 2023
Backwards compatibility.
They mentioned their ECDSA and ED25519 key are not affected so they also use them.
Also, this incident has nothing to do with RSA. Could have happened with ECDSA and ED25519, too, no?
reply
3 sats \ 2 replies \ @xanny 24 Mar 2023
Yes the incident is human error, but it reflects poor OPSEC - considering how big GitHub is, how difficult would it be to store their private keys only on Yubikeys or similar airgrapped devices instead of having them stored in plaintext where they can be accidentally copy/pasted? This is literally OPSEC 101 and these guys are owned by one of the biggest tech companies in the world. What else are they dropping the ball on?
Fair play on the backwards compatibility - missed that they also have ECDSA and EdDSA keys as well.
reply
0 sats \ 1 reply \ @ek 24 Mar 2023
I totally agree with you. I just didn't get what RSA has to do with this lol
reply
108 sats \ 0 replies \ @xanny 24 Mar 2023
RSA is old (literally from 1977!), slow (because huge keys are required to make it non-trivial to brute force), and overall less secure than modern elliptic curve cryptography.
As I said though, I missed that they also have EdDSA and ECDSA keys when I skimmed the article during my lunch break. Since the RSA key is only for backwards compatibility it isn't an issue. Thank you for pointing that out to me.
reply
101 sats \ 9 replies \ @ek 24 Mar 2023
Hey, I posted this before you xD
#156121
No worries though, just wanted point out how timing is sometimes relevant which post gets upvotes, lol
reply
0 sats \ 8 replies \ @davidw OP 24 Mar 2023
Hmm… I thought SN checks for duplicates before posting the url 🤔
reply
0 sats \ 7 replies \ @ek 24 Mar 2023
It does but it doesn't prevent duplicates. Maybe you clicked on "post" too fast since it takes 1-2 seconds to load the duplicates?
reply
3 sats \ 6 replies \ @davidw OP 24 Mar 2023
I think that might be it. Given was posting from mobile 🤦‍♂️ My bad
reply
0 sats \ 4 replies \ @ek 24 Mar 2023
/cc @k00b
might be useful to disable posting until duplicates are loaded (or a timeout is reached)
reply
25 sats \ 3 replies \ @k00b 24 Mar 2023
@cointastical has been asking for this for a long time. I'm open to it if the UX can be made good.
reply
273 sats \ 2 replies \ @ek 24 Mar 2023
I'll see what I can do. Shouldn't require a lot of changes
reply
0 sats \ 1 reply \ @k00b 24 Mar 2023
Cool I'll send you some sats for it
view replies
0 sats \ 0 replies \ @ek 24 Mar 2023
Again, no worries! Happens, haha
reply