Github reports fixing Heartbleed vulnerability

John Ralls jralls at
Fri Apr 11 00:01:22 EDT 2014

On Apr 10, 2014, at 12:50 PM, Felix Schwarz < at> wrote:

> Am 10.04.2014 19:52, schrieb John Ralls:
>> Valid points. You should ask Github, I’m only reporting. I’m in no way a
>> crypto expert. I can speculate that Heartbleed might reveal enough
>> information to crack the private key, maybe by making available both plain
>> and encrypted versions of the exchange.
> Maybe I'm exceptionally bad at reading but I don't see that Github recommends
> changing the SSH key. Which paragraph did you refer to?
> What I read it this:
> """
> What can you do about this?
>> 3. Revoke and recreate personal access and application tokens.
> """
> In #3 they are only referring to access and application *tokens* (which are
> essentially generated, limited passwords) but no SSH keys. The link points to
> a help page which also mentions SSH indeed - but to the best of my
> understanding that's only because it is a help page which mentions all "access
> credentials".

I read it as SSH keys are included in "tokens", but you can read it differently if you want. Paranoia is a personal decision. ;-)
> Besides: Even without Heartbleed it should be absolutely impossible to compute
> the private key just from the exchanged information when using SSH public keys
> authentication. Otherwise that in itself would be a bug even bigger than the
> whole Heartbleed issue.

Really? My admittedly limited understanding is that with enough of both plain and cypher text it is easy to break any key which isn't one-time. Its been well demonstrated (just google "ssh key cracking") that public key encryption is far from perfect; the best one can hope for is that one's private key is difficult to crack. Impossible is out of the question.

John Ralls

More information about the gnucash-devel mailing list