Github reports fixing Heartbleed vulnerability

Felix Schwarz at
Thu Apr 10 15:50:54 EDT 2014

Am 10.04.2014 19:52, schrieb John Ralls:
> Valid points. You should ask Github, I’m only reporting. I’m in no way a
> crypto expert. I can speculate that Heartbleed might reveal enough
> information to crack the private key, maybe by making available both plain
> and encrypted versions of the exchange.

Maybe I'm exceptionally bad at reading but I don't see that Github recommends
changing the SSH key. Which paragraph did you refer to?

What I read it this:
What can you do about this?
3. Revoke and recreate personal access and application tokens.

In #3 they are only referring to access and application *tokens* (which are
essentially generated, limited passwords) but no SSH keys. The link points to
a help page which also mentions SSH indeed - but to the best of my
understanding that's only because it is a help page which mentions all "access

Besides: Even without Heartbleed it should be absolutely impossible to compute
the private key just from the exchanged information when using SSH public keys
authentication. Otherwise that in itself would be a bug even bigger than the
whole Heartbleed issue.


More information about the gnucash-devel mailing list