Github reports fixing Heartbleed vulnerability
Scott Armitage
account+gnucash at scott.armitage.name
Thu Apr 10 14:05:18 EDT 2014
And, as with passwords, it makes sense to use different key pairs for
*all* services
in order to mitigate the negative impact of any one service being
compromised.
On Thu, Apr 10, 2014 at 1:52 PM, John Ralls <jralls at ceridwen.us> wrote:
>
> On Apr 10, 2014, at 10:39 AM, Matthijs Kooijman <matthijs at stdin.nl> wrote:
>
> > Hey John,
> >
> >> I’ll add that if you’ve used a github ssh key anywhere else you should
> >> replace it there as well — and use a different key this time.
> > Huh? github only has your public SSH key, so there should not be any
> > reason to replace it AFAICS? At most double-check if they still have the
> > correct key listed, under the assumption that attackers might somehow
> > managed to get write access to github's data (for which there is no
> > indication, though).
> >
> > Or am I misunderstanding something here?
> >
>
> Valid points. You should ask Github, I’m only reporting. I’m in no way a
> crypto expert. I can speculate that Heartbleed might reveal enough
> information to crack the private key, maybe by making available both plain
> and encrypted versions of the exchange.
>
> I added what I did because if the key is compromised on Github it’s
> compromised everywhere else you use it.
>
> Regards,
> John Ralls
>
>
>
> _______________________________________________
> gnucash-devel mailing list
> gnucash-devel at gnucash.org
> https://lists.gnucash.org/mailman/listinfo/gnucash-devel
>
More information about the gnucash-devel
mailing list