Poll: Securing SSH keys

3 points by 3pt14159 ↗ HN
About 95% of developers I know use OSX as their primary development machine. The remaining 5% are generally running Ubuntu/Debian, or maybe BSD or a lesser known Linux variant. Personally I dual boot Ubuntu / OSX, but I have SSH keys on both.

Generally I see people install all sorts of software on OSX. I try to be careful, but at the end of the day I want to edit photos and sometimes play computer games. Or sometimes a client wants to Skype.

It recently occurred to me that any of these applications could silently just take my SSH keys. How is this not a major problem? If we're the ones developing the software these keys could be used to put back doors into our applications. Even if you password encrypt the key the application could still enable a keylogger once it detects that Terminal has opened.

The only thing I can think of is developing on a as-clean-as-possible computer (ie, only Linux and maybe Chrome), but even then I'm still depending on all of you guys to not lose your keys because I'm not auditing every library out there. Sure the larger ones may have 100 eyes on them, but there is a long tail that could go completely unnoticed. Plus Chrome and flash are closed source anyway, so that is really all they would need.

(Vote multiple times if needed, please only vote if you have SSH keys).

0 comments

[ 5.2 ms ] story [ 12.7 ms ] thread

No comments yet.