7 comments

[ 3.0 ms ] story [ 25.5 ms ] thread
No idea where that title came from; it's not the title of the article (now) and it doesn't describe what they did. They didn't break TLS. Certificate owners leaked their private keys.

The innovation here was that they had scraped a lot of public keys for rapid identification of what the private keys were for.

The embedded YouTube video on this page is titled "We Broke TLS On Hundreds Of Websites," which is close enough to be a transcription error on the part of the submitter.
tl;dr: don't upload your private ssh keys to github or other public places.

I would say that I'm astonished by the number of people who apparently have done exactly that, but I guess at this point I really shouldn't be.

Many of these committed keys are test fixtures in repositories. As for how that happened, not entirely sure, but I am guessing that people just grabbed a key lying around like ~/.ssh/idrsa
This isn't really Github's fault (or Oracle, or whatever).

I'm pretty sure that in the old days, asymmetric cryptography was called "Secret Key Cryptography" (note the contrast with "Public Key Cryptography").

Anyway, the clue is in the word "secret", in "secret key" - you're supposed to keep it secret.

(FWIW, I'm pretty sure "secret key cryptography" refers to symmetric cryptography.)
I believe GitHub, GitLab etc needs to find a way to detect this and automatically make it reject git pushes across the platform automatically (with some way to say yes I really really want to do this). I know there are automation tools out there, but they’re not by default across all of these code repos. Humans will be humans and error, so we need top-down enforcement especially as places like GitHub have users of every knowledge and skill level.