Github reports fixing Heartbleed vulnerability
Felix Schwarz
felix.schwarz at oss.schwarz.eu
Thu Apr 10 15:50:54 EDT 2014
Am 10.04.2014 19:52, schrieb John Ralls:
> Valid points. You should ask Github, I’m only reporting. I’m in no way a
> crypto expert. I can speculate that Heartbleed might reveal enough
> information to crack the private key, maybe by making available both plain
> and encrypted versions of the exchange.
Maybe I'm exceptionally bad at reading but I don't see that Github recommends
changing the SSH key. Which paragraph did you refer to?
What I read it this:
"""
What can you do about this?
…
3. Revoke and recreate personal access and application tokens.
"""
In #3 they are only referring to access and application *tokens* (which are
essentially generated, limited passwords) but no SSH keys. The link points to
a help page which also mentions SSH indeed - but to the best of my
understanding that's only because it is a help page which mentions all "access
credentials".
Besides: Even without Heartbleed it should be absolutely impossible to compute
the private key just from the exchanged information when using SSH public keys
authentication. Otherwise that in itself would be a bug even bigger than the
whole Heartbleed issue.
fs
More information about the gnucash-devel
mailing list