Sign arbitrary data with your SSH keys

Your SSH public key is really the least of your identifiable information you’d be worried about because that’s the easiest to create a unique key for GitHub.

Nonsense. Would you say the same thing about a password? Would you make the same comment about a conversation over a messaging service? This is a configuration detail of an account setting -- not a blog post.

Privacy is not binary; there are many shades of grey. It is surprising that this is made public and while it is not necessarily wrong to provide this service (I'm fine with it; I see the utility) it is also reasonable to ask for a way to opt out.

Just because the functional security of a system isn't dependent on the exposure of a public component doesn't mean it should implicitly be shared.

Passwords are secrets. Public keys are not. So the comparison doesn’t work.

> Would you make the same comment about a conversation over a messaging service?

If it was a public messaging service like HN, or public comments on Twitter or Facebook, then yes.

> This is a configuration detail of an account setting -- not a blog post.

We could be here all day and night saying what this is or isn’t but it doesn’t address the point I was making. The moment you create a GitHub account you start leaking far more sensitive data than your public keys. Data that is far harder to create anonymously (unlike your SSH keys). Thus if privacy is a concern then you shouldn’t be using GitHub in the first place. Even git version control itself leaks information about you.

> Privacy is not binary; there are many shades of grey.

Ironic you state that when you’re the one applying privacy in a binary way. I’m saying the SSH public keys are a lower risk than other details you share in GitHub. Not that it’s a zero or 100% bad thing, which is the only pidgin holes you’re allowing for this discussion.

> It is surprising that this is made public and while it is not necessarily wrong to provide this service (I'm fine with it; I see the utility) it is also reasonable to ask for a way to opt out.

That’s literally the point I’ve been making.

If you agree that said platforms leak lots of other identifiable data (which you seam to) then thus it is a fair statement to say GitHub hiding public keys do little to enhance your privacy. And thus one can reasonably conclude that privacy argument doesn’t really hold with regards to SSH keys.

I’m happy to agree that it’s bad UX and probably should be advertised better so people are aware they should follow the (in my opinion best practice) of using a unique SSH key for GitHub.

Some platforms don’t publish users lists but it’s often the same platforms that like to post headline figures about their user base so I suspect not publishing user lists is more about a company being able to exaggerate its worth rather than privacy. Especially when those same platforms readily publish user names in every format aside one consolidated list.

In short, if a piece of information isn’t available on a social platform, or is frowned upon scraping, then odds are it’s more likely financially motivated than it is down to privacy. Given these same companies typically make their money from you handing over your data in the first place it would be naive to think they really care about your privacy.

https://therecord.media/security-agencies-leak-sensitive-dat...

The whole intention was to raise attention to a less often mentioned part of the information github exposes about accounts.

The parents quote I think is illustrative

> But for the “average person,” security does equal privacy, or should, so they find systems that could potentially expose their identity to be “insecure.”

And I’m not trying to pile on here, because I sympathize with that sentiment of “should”. But I think the two issues that make that never a real possibility are 1) privacy is actually a harder problem to solve than security and 2) companies aren’t incentivized to provide privacy.

Anything you provide online should by default be assumed to end up public, and as much as we might not want that, we all really need to assume that.

Edit If course you mean the new signing feature which will come to git and GitHub in the future. Sorry

Also, plenty of people collaborate in private on GitHub. It has free private collaboration these days, not to mention.. paid. While it never strongly irked me that SSH public keys are visible, it’s not really that obvious. And I don’t buy the “but it has public in the name!” bit either. Sure, it’s not made to be confidential, but that doesn’t mean it should be published indiscriminately. I mean, I’m using it to authenticate to GitHub, and nobody browsing GitHub needs it.

Having them visible by default can be convenient. I’ve used it to populate authorized_hosts for example. However it is unnecessary and unexpected. If you use different private keys on each machine, it reveals a lot of opsec info you may not have expected to be public.

It’s a “public” key in the cryptographic sense, not in the address book sense.

I disagree. The article points to simplifications that SSH did compared to GPG, like no web of trust.

But there's now something very close to one, a bit hidden though: SSHFP + DNSSEC

I think a lot of people here may not be familiar with SSHFP records, so check https://fanf.livejournal.com/130577.html for a more detailed explanation.

It's more or less a work around the problem of initially trusting a key, by using SSHFP records to verify that the server keys are validated by the domain, with DNSSEC validating the whole thing.

When you can match server keys to domains and user keys to github users, you are just one link away from having a global picture of the web of trust.

EDIT: and I wonder how feasible it would be to do just that with a sniff of the initial handshake

> because that’s the easiest to create a unique key for GitHub

And how many people do you think have done that, instead of uploading the keys of the servers/laptops/etc. they use?

I hate to say this, but Bitcoin did it right: by having a discardable private+public pair of keys derived from a seed key, it prevents leaks of information by correlation based on the public key.

Equally they might use the same user name as on other services, thus making them traceable.

Ultimately if you care about privacy then it’s up to you, the individual, not to share that information or to provide anonymous information yourself.

Sharing identifiable information and then blaming the company you shared it with is like blaming the horse for bolting after you’ve intentionally left the barn door open. Sure it should be that way but ultimately it’s your own responsibility to keep your stuff safe.

I’d agree with your point more if you were advocating that documentation should be more explicit. Ie helping educate users into making smarter choices.

So your argument against SSH keys are just as valid for all the other items of meta data you’re dismissing as not a privacy problem.

And that’s the point I’m making. If you care enough about privacy that your public SSH key is an issue, then creating a GitHub account is not the brightest idea regardless of their policy on public SSH keys.

I don’t disagree that GitHub could do a better job documenting this risk nor that an ideal scenario would be giving users the option. But they’re all just side stepping the real issue that this is not a privacy because of the fact that public SSH keys are not more of a risk than any of the other data you’re already volunteering to be published by virtue of signing up to a social platform.

If you want privacy then host your own git server (it’s really easy!) because GitHub is designed around sharing, not privacy.

It’s weird the number of people here who don’t realise that convenience and privacy are often opposing forces and I bet the majority complaining don’t even pay for their GitHub account. Yet they are still complaining about specific aspects of privacy while willingly handing over a crap load more identifiable information for free. The whole debate here screams of security theatre: privacy for show rather than actual safeguarding of personally identifiable data.

The setup process looks a bit crazy, so I’m hoping it’s gotten easier since 2014? I would love to test it out, but life is too short for the process they’ve outlined...

You are correct.

> The setup process looks a bit crazy, so I’m hoping it’s gotten easier since 2014?

I don't think I used that in uni, so I can't tell you how complicated it was. It's just a nice didactic article that I found explained all the details.

In practice in 2021, you run a sshfp script on the server, and publish the output of the script on your DNS by adding a key.

If you use scripted DNS, it's a one step process, if not, a 2 step process.

These are not binary attributes. A public key absolutely can be a secret, and in many cases should be.

> If it was a public messaging service like HN, or public comments on Twitter or Facebook, then yes.

You're avoiding the question because in this case it isn't a "public messaging service." It's an attribute of an account configuration.

> Thus if privacy is a concern then you shouldn’t be using GitHub in the first place.

Nonsense. What if I use a private email for my github account? What if I only use private repositories?

You're repeatedly making an error of portraying privacy as black and white and it simply is not.

> I’m saying the SSH public keys are a lower risk than other details you share in GitHub.

No, you made a categorical, absolute statement that "If you need privacy then you shouldn’t be uploading to GitHub in the first place."

This statement is utter nonsense. Now you're just arguing that you didn't say what you actually said.

> That’s literally the point I’ve been making.

No, your statement that we're discussing was "If you need privacy then you shouldn’t be uploading to GitHub in the first place."

This statement is flatly incorrect. Your comments are demonstrably false, and your followups are irrelevant deflections.

I answered your question despite it being a straw man argument.

> No, you made a categorical, absolute statement that "If you need privacy then you shouldn’t be uploading to GitHub in the first place." This statement is utter nonsense.

Thus far all the arguments you’ve made have been either unsubstantiated or straw man.

Take the quote above, you argue it’s nonsense but offer zero evidence to back up that remark.

> Now you're just arguing that you didn't say what you actually said.

You’re changing the subject again instead of providing a counter argument. I’ve made my points clear, with examples as to why I’ve came to that conclusion, and there’s history of our chat in this forum.

This is clear an emotive topic for you but if you want to prove me wrong then please at least stick to the subject.

You didn't, and I think that's all that needs to be said. There's no need to address the rest of your comment. I don't care to engage in whatever it is you're doing.

http://www.paulgraham.com/disagree.html

Thus far we’ve seen DH2, DH3 and DH4 but you haven’t yet refuted my central argument (nor even anything close to it) despite posting a multitude of emotionally charged paragraphs.

Now take a look at the discussions I’ve had with others in this thread. They’ve been on topic and informative. Unlike the responses from yourself.

I’m genuinely open to discussion, if you’re genuinely interested in having one.

Take another look at your own responses, vis a vis that article. You and I are done here.

Pity you couldn’t be bothered to hold a proper discussion here because some of your other posts in other threads have been informative. C’est la vie

> If you need privacy then you shouldn’t be uploading to GitHub in the first place. The moment you do that you’re publishing email addresses, other projects that you contribute too and potentially leaking your timezone by virtue of commit times.

You are wrong. GitHub doesn't have to leak anything, apart from your public SSH key.