Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Github is exposing public SSH keys (github.com)
10 points by appplemac on Jan 7, 2013 | hide | past | favorite | 9 comments


Duplicate. http://news.ycombinator.com/item?id=5023665

Also, it doesn't make a difference, since they are public keys, like public GPG keys. They also aren't the only ones that do this - LaunchPad.net (where Ubuntu development takes place) also does it.

https://code.launchpad.net/~jamesgifford/+sshkeys


So what? Is somebody going to factorize my public key?

This is only an issue if 1) Users are relying on github as a trusted source of public keys, and 2) malicious users can modify the public keys.


It doesn't even have key names. Boring. (But useful -- I can provision accounts on servers I run with "oh I set up .ssh/authorized_keys with your Github keys"; thanks!)


Isn't being public the point of public keys?


A problem arises if users start to use github as a defacto trusted source for public keys. Githubs security standards are very high, but they have a large potential attack surface due to all of the functionality they support.


Launchpad accounts have ssh keys as part of public user profiles. Should be ok :)

Ex: https://launchpad.net/~brad-figg


Can someone help me understand why it is a problem if my public key is, uh, public?


Worst case scenario is that someone lets me access their server. Unless RSA is busted, right?


In other news: HN is revealing the user names of its users! Film at 11!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: