Well this is embarrassing.
GitHub has had to update its SSH keys after they accidentally published the private part of the key to the entire planet.
A post on Github’s security blog reveals that the company has changed its RSA SSH host keys. That will cause connection errors, and some frightening warning messages. But don’t worry developers, GitHub hasn’t been pwned. They just screwed up. But everything will be fine.
#Sarcasm
Kevin Bocek, VP Ecosystem and Community at Venafi had this comment:
“GitHub needs to take a closer look at how it manages its SSH keys as an exposure of this kind – no matter how brief – could have serious ramifications given the high level of privilege these machine identities are afforded. These critical machine identities are incredibly powerful and are used everywhere, but they’re also poorly understood and managed, making them a prime target for attackers. Unlike other machine identities, like TLS, SSH keys don’t expire. This means that a compromised identity could be abused for a long time – months or even years – without an organization knowing.
Fortunately, GitHub responded quickly to rotate the impacted machine identities once it noticed that the private SSH key was accidentally published in a public repository. And luckily, it doesn’t appear that they’ve been abused. But if an attacker had seized this opportunity, then it would have given them a very powerful weapon – potentially allowing them to spread across GitHub’s customer networks, eavesdropping on user’s connections, and accessing GitHub’s infrastructure too, while appearing completely trustworthy. In a machine-driven world, having a control plane to manage the lifecycle of machine identities is essential. As this incident shows, you can find yourself exposed very quickly and if not handled quickly, serious repercussions will follow.”
Hopefully GitHub learns from this and as a result has better practises in terms of their SSH keys so that they not only avoid the possibility of getting pwned, but being the punchline in a joke.
Related
This entry was posted on March 25, 2023 at 8:57 am and is filed under Commentary with tags GitHub. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
#Fail: GitHub Publishes RSA SSH Host Keys BY MISTAKE
Well this is embarrassing.
GitHub has had to update its SSH keys after they accidentally published the private part of the key to the entire planet.
A post on Github’s security blog reveals that the company has changed its RSA SSH host keys. That will cause connection errors, and some frightening warning messages. But don’t worry developers, GitHub hasn’t been pwned. They just screwed up. But everything will be fine.
#Sarcasm
Kevin Bocek, VP Ecosystem and Community at Venafi had this comment:
“GitHub needs to take a closer look at how it manages its SSH keys as an exposure of this kind – no matter how brief – could have serious ramifications given the high level of privilege these machine identities are afforded. These critical machine identities are incredibly powerful and are used everywhere, but they’re also poorly understood and managed, making them a prime target for attackers. Unlike other machine identities, like TLS, SSH keys don’t expire. This means that a compromised identity could be abused for a long time – months or even years – without an organization knowing.
Fortunately, GitHub responded quickly to rotate the impacted machine identities once it noticed that the private SSH key was accidentally published in a public repository. And luckily, it doesn’t appear that they’ve been abused. But if an attacker had seized this opportunity, then it would have given them a very powerful weapon – potentially allowing them to spread across GitHub’s customer networks, eavesdropping on user’s connections, and accessing GitHub’s infrastructure too, while appearing completely trustworthy. In a machine-driven world, having a control plane to manage the lifecycle of machine identities is essential. As this incident shows, you can find yourself exposed very quickly and if not handled quickly, serious repercussions will follow.”
Hopefully GitHub learns from this and as a result has better practises in terms of their SSH keys so that they not only avoid the possibility of getting pwned, but being the punchline in a joke.
Share this:
Like this:
Related
This entry was posted on March 25, 2023 at 8:57 am and is filed under Commentary with tags GitHub. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.