Github reports fixing Heartbleed vulnerability

Christian Stimming christian at
Sat Apr 12 15:43:42 EDT 2014

Am Donnerstag, 10. April 2014, 21:01:22 schrieb John Ralls:
> On Apr 10, 2014, at 12:50 PM, Felix Schwarz < at> 
> > Am 10.04.2014 19:52, schrieb John Ralls:
> >> Valid points. You should ask Github, I’m only reporting. I’m in no way a
> >> crypto expert. I can speculate that Heartbleed might reveal enough
> >> information to crack the private key, maybe by making available both
> >> plain
> >> and encrypted versions of the exchange.
> > 
> > Maybe I'm exceptionally bad at reading but I don't see that Github
> > recommends changing the SSH key. Which paragraph did you refer to?
> > 
> > What I read it this:
> > """
> > What can you do about this?
> > …
> > 3. Revoke and recreate personal access and application tokens.
> > """
> > 
> > In #3 they are only referring to access and application *tokens* (which
> > are
> > essentially generated, limited passwords) but no SSH keys. The link points
> > to a help page which also mentions SSH indeed - but to the best of my
> > understanding that's only because it is a help page which mentions all
> > "access credentials".
> I read it as SSH keys are included in "tokens", but you can read it
> differently if you want. Paranoia is a personal decision. ;-)

No, "tokens" is something different: Github offers you the possibility to 
generate a private token that is used when triggering other external 
webservices with confidential information, such as posting the latest commit 
message into some message board etc.
This is where the "token" is the shared private secret, stored both on github 
and on the other web service.

As we don't use this for gnucash, we are not concerned.

One's private SSH keys are not concerned either.



More information about the gnucash-devel mailing list