
Github is exposing public SSH keys - appplemac
https://github.com/appplemac.keys
======
jrgifford
Duplicate. <http://news.ycombinator.com/item?id=5023665>

Also, it doesn't make a difference, since they are _public_ keys, like public
GPG keys. They also aren't the only ones that do this - LaunchPad.net (where
Ubuntu development takes place) also does it.

<https://code.launchpad.net/~jamesgifford/+sshkeys>

------
oh_sigh
So what? Is somebody going to factorize my public key?

This is only an issue if 1) Users are relying on github as a trusted source of
public keys, and 2) malicious users can modify the public keys.

------
geofft
It doesn't even have key names. Boring. (But useful -- I can provision
accounts on servers I run with "oh I set up .ssh/authorized_keys with your
Github keys"; thanks!)

------
jlarocco
Isn't being public the point of _public_ keys?

~~~
oh_sigh
A problem arises if users start to use github as a defacto trusted source for
public keys. Githubs security standards are very high, but they have a large
potential attack surface due to all of the functionality they support.

------
RegEx
Launchpad accounts have ssh keys as part of public user profiles. Should be ok
:)

Ex: <https://launchpad.net/~brad-figg>

------
mattvanhorn
Can someone help me understand why it is a problem if my public key is, uh,
public?

------
antihero
Worst case scenario is that someone lets me access their server. Unless RSA is
busted, right?

------
kylemaxwell
In other news: HN is revealing the user names of its users! Film at 11!

