Github reports fixing Heartbleed vulnerability
Derek Atkins
warlord at MIT.EDU
Fri Apr 11 11:57:19 EDT 2014
John Ralls <jralls at ceridwen.us> writes:
> On Apr 10, 2014, at 10:39 AM, Matthijs Kooijman <matthijs at stdin.nl> wrote:
>
>> Hey John,
>>
>>> I’ll add that if you’ve used a github ssh key anywhere else you should
>>> replace it there as well — and use a different key this time.
>> Huh? github only has your public SSH key, so there should not be any
>> reason to replace it AFAICS? At most double-check if they still have the
>> correct key listed, under the assumption that attackers might somehow
>> managed to get write access to github's data (for which there is no
>> indication, though).
>>
>> Or am I misunderstanding something here?
>>
>
> Valid points. You should ask Github, I’m only reporting. I’m in no way
> a crypto expert. I can speculate that Heartbleed might reveal enough
> information to crack the private key, maybe by making available both
> plain and encrypted versions of the exchange.
>
> I added what I did because if the key is compromised on Github it’s
> compromised everywhere else you use it.
Except the whole point of public/private key pairs is that the
compromise of github does not affect the security of your private key
that you maintain on your laptop. Morever, the very nature of
public/private cryptography is designed specifically so you CAN use the
same key on multiple sites. Someone who breaks into one of the servers
CANNOT use your public key to act as you, because it is infeasible to
generate the private key from the public key.
So with my Crypto/Security Hat on, I would suggest that there is no need
to rekey your personal ssh keys, and there is no need to use a different
key pair for each service that you use. However you may consider
rekeying your Server SSH Keys.
> Regards,
> John Ralls
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord at MIT.EDU PGP key available
More information about the gnucash-devel
mailing list