GitHub Publishes RSA SSH Host Keys by Mistake, Issues Update
Recently GitHub seems to be getting its fair share of problems. It all started with the user who published Twitter’s source codes on GitHub. Who remains unidentified as Twitter takes Github to court in attempt to find the culprit.
Github updated its SSH keys after accidentally publishing them to the entire world. Huge blunder. A post on Github’s security blog reveals that the information has changed its RSA SSH host key. This is bound to cause a connection error and also bring a frightening warning message to a lot of developers.Developers can rest assured that it's not a scary hacker activity it's just plain human error.
Microsoft’s GitHub is one of the largest source code companies in the world with an estimated 100 million users. Seeing the number of users the company has this area is bound to make a lot of people nervous. Most users don't have to worry because guaranteed it’s not the end of the world. If you push and pull to GitHub via SSH which is a common thing, it simply means that you’ve to delete your local GitHub SSH key to get new ones.
How to Identify the Problem
As I've already mentioned the first symptom of this problem is an alarming warning message.
This warning is going to be fake for most people because it doesn't necessarily mean you are being attacked. This is all because Github has stopped its old keys and published new ones. Hanlon’s razor will come to the rescue which states:
“Never attribute to malice that which can be adequately explained by stupidity”
The word stupidity can also be replaced by the word incompetence. All this time the problem was plain old human error. As most regular readers know it is fine to review or publish and share public keys but private keys must always be kept separate. If they ever get out through an accidental publish it means that anyone who has them can easily pretend to be you.
SSH also supports alternative cryptographic algorithms to RSA for its keys. ECDSA and Ed25519 keys weren't published and so they remain unchanged.
Github isn't giving any names or hints on who published the keys and from where. Although considering how things usually go I suspect we’ll be getting more information soon. At the moment I recommend you delete the old key and add the new one as soon as you can.Advertisement