Github reports fixing Heartbleed vulnerability
jralls at ceridwen.us
Thu Apr 10 13:52:21 EDT 2014
On Apr 10, 2014, at 10:39 AM, Matthijs Kooijman <matthijs at stdin.nl> wrote:
> Hey John,
>> I’ll add that if you’ve used a github ssh key anywhere else you should
>> replace it there as well — and use a different key this time.
> Huh? github only has your public SSH key, so there should not be any
> reason to replace it AFAICS? At most double-check if they still have the
> correct key listed, under the assumption that attackers might somehow
> managed to get write access to github's data (for which there is no
> indication, though).
> Or am I misunderstanding something here?
Valid points. You should ask Github, I’m only reporting. I’m in no way a crypto expert. I can speculate that Heartbleed might reveal enough information to crack the private key, maybe by making available both plain and encrypted versions of the exchange.
I added what I did because if the key is compromised on Github it’s compromised everywhere else you use it.
More information about the gnucash-devel