Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Privacy

GitHub.com Rotates Its Exposed Private SSH Key (bleepingcomputer.com) 20

GitHub has rotated its private SSH key for GitHub.com after the secret was was accidentally published in a public GitHub repository. BleepingComputer reports: The software development and version control service says, the private RSA key was only "briefly" exposed, but that it took action out of "an abundance of caution." In a succinct blog post published today, GitHub acknowledged discovering this week that the RSA SSH private key for GitHub.com had been ephemerally exposed in a public GitHub repository.

"We immediately acted to contain the exposure and began investigating to understand the root cause and impact," writes Mike Hanley, GitHub's Chief Security Officer and SVP of Engineering. "We have now completed the key replacement, and users will see the change propagate over the next thirty minutes. Some users may have noticed that the new key was briefly present beginning around 02:30 UTC during preparations for this change." As some may notice, only GitHub.com's RSA SSH key has been impacted and replaced. No change is required for ECDSA or Ed25519 users.

This discussion has been archived. No new comments can be posted.

GitHub.com Rotates Its Exposed Private SSH Key

Comments Filter:
  • Does this mean that any previously sniffed packets can be decrypted now, or do the encryption protocols not work that way?

    • by gweihir ( 88907 )

      SSH has perfect forward secrecy, because the protocol is well-designed. This means a future break of the long-term secrets does in no way compromise past communication.

  • by gweihir ( 88907 ) on Friday March 24, 2023 @08:13PM (#63397853)

    1. It does not matter how long the key was exposed. Exposed is exposed.
    2. Changing it is not "abundance of caution", it is minimal (!) due caution.
    3. Where is the explanation of how this was possible in the first place? And how are they making sure it does not happen again?

    • Points 1 and 2 are right on. Point 3 is not a mystery at all:

      Where is the explanation of how this was possible in the first place? And how are they making sure it does not happen again?

      I'd bet it would be hard to find ANY major project that doesn't have a private key lying around somewhere in a source code repository. Very few programmers understand just how dangerous this is, they get sloppy and leave it lying around in the folder with their source code, and eventually it gets checked in.

      My company has gone through two rounds of sweeps for keys and passwords lying around in code. It's not easy to get rid of them, they keep popp

      • by Jeremi ( 14640 )

        My company has gone through two rounds of sweeps for keys and passwords lying around in code. It's not easy to get rid of them, they keep popping up like whackamole!

        I wonder if git should be updated to refuse to commit files that are obviously private keys? (Or at least, to require a blood oath and signing over of one's firstborn before agreeing to do so)

        • by gweihir ( 88907 )

          You cannot reliably identify private keys. One problem is that they often look exactly the same as public keys.

      • by gweihir ( 88907 )

        So abysmal incompetence? Makes sense to me.

        • Maybe.

          I had a retired teacher friend who made this statement: "When one student fails a test, it's the student's fault. When everyone in the class fails the test, it's the teacher's fault."

          Basically every programming shop fails this test. I'm not sure it's fair to blame developers.

    • Re. 2, of course they know that but it's free reduced-damage to their reputation in the eyes of those which believe this at the cost of increased damage to their reputation in the eyes of those who see the attempt to spin bad into good.

  • What the hell does âoerotating a keyâ mean? I assume they just changed the key by generating a new one. Rotating sounds like they applied ROT13.

C'est magnifique, mais ce n'est pas l'Informatique. -- Bosquet [on seeing the IBM 4341]

Working...