Github reports fixing Heartbleed vulnerability
account+gnucash at scott.armitage.name
Thu Apr 10 14:05:18 EDT 2014
And, as with passwords, it makes sense to use different key pairs for
in order to mitigate the negative impact of any one service being
On Thu, Apr 10, 2014 at 1:52 PM, John Ralls <jralls at ceridwen.us> wrote:
> On Apr 10, 2014, at 10:39 AM, Matthijs Kooijman <matthijs at stdin.nl> wrote:
> > Hey John,
> >> I’ll add that if you’ve used a github ssh key anywhere else you should
> >> replace it there as well — and use a different key this time.
> > Huh? github only has your public SSH key, so there should not be any
> > reason to replace it AFAICS? At most double-check if they still have the
> > correct key listed, under the assumption that attackers might somehow
> > managed to get write access to github's data (for which there is no
> > indication, though).
> > Or am I misunderstanding something here?
> Valid points. You should ask Github, I’m only reporting. I’m in no way a
> crypto expert. I can speculate that Heartbleed might reveal enough
> information to crack the private key, maybe by making available both plain
> and encrypted versions of the exchange.
> I added what I did because if the key is compromised on Github it’s
> compromised everywhere else you use it.
> John Ralls
> gnucash-devel mailing list
> gnucash-devel at gnucash.org
More information about the gnucash-devel