←back to thread

Sign arbitrary data with your SSH keys

(www.agwa.name)
637 points h1x | 5 comments | 13 Nov 21 09:13 UTC | HN request time: 0.006s | source
Show context
pizza ◴[13 Nov 21 10:03 UTC] No.29208734[source]
I get that they're "public" keys, but I was surprised to learn (and from somebody other than github themselves) that ssh public keys are just available at that github.com/username.keys URL (without there being an option to disable it, it seems?). Did most people already know that? Probably fine but just surprised. Just tried searching their authentication docs [0] and I don't get any results for "public key url" either

https://docs.github.com/en/authentication?query=public+key+u...

replies(26): >>29208748 #>>29208752 #>>29208754 #>>29208768 #>>29208790 #>>29208806 #>>29208828 #>>29208856 #>>29208877 #>>29208909 #>>29208990 #>>29209073 #>>29209103 #>>29209113 #>>29209243 #>>29209399 #>>29209634 #>>29210045 #>>29210085 #>>29210460 #>>29211355 #>>29211357 #>>29211783 #>>29212241 #>>29212499 #>>29213083 #
Edmond ◴[13 Nov 21 11:35 UTC] No.29209103[source]
>I get that they're "public" keys

From your quote around "public", I presume you think there is some sense in which they're not really public? They are and should ALWAYS be considered PUBLIC. If you find yourself ever crafting a security solution where public keys somehow need to be private or secret, go back to the drawing board or reach out to someone with serious expertise.

There are cases where information on a certificate (which is associated with a public key)may indeed need to be protected, in that case you need to implement an information mask (via hashing) that can protect the private information, we had to do something similar with Certisfy.com certificates. But public keys should be considered public without exceptions.

replies(8): >>29209253 #>>29209264 #>>29209312 #>>29209521 #>>29209535 #>>29210485 #>>29211342 #>>29211702 #
numair ◴[13 Nov 21 12:16 UTC] No.29209253[source]
> If you find yourself ever crafting a security solution where public keys somehow need to be private or secret, go back to the drawing board or reach out to someone with serious expertise.

I know you’re taking the “strict teacher” approach with your comment, but you’re totally wrong. And the reason you’re wrong is, security doesn’t equal privacy. But for the “average person,” security does equal privacy, or should, so they find systems that could potentially expose their identity to be “insecure.”

In this particular case, there have been past examples of using keys to fingerprint users without their consent. Yes, it’s been super edge-case and proof-of-concept, but for a lot of people — and perhaps more importantly, in a lot of jurisdictions — leaving a personal identifier sitting around like this (without ever informing the user!) is the very opposite of a best practice.

The end result is, you should only have a key on GitHub that isn’t used anywhere else. That’s what I do, and I’m sure lots of us on this comment thread do, but there’s definitely lots of My First Coding Bootcamp people who were guided through their GitHub account installations who might not have been aware that these are keys that shouldn’t be reused elsewhere.

I would have a very different view on this if GitHub had been explicit about the use of registered keys for other services. That’s a GREAT concept, but I’m not going to trust a company with that business when they’ve just backdoored themselves into it without asking for permission. And the problem for them is, in this particular situation you need the weird paranoid privacy crowd on your side for it to work.

replies(4): >>29209298 #>>29209614 #>>29209616 #>>29210172 #
laumars ◴[13 Nov 21 13:40 UTC] No.29209614[source]
If you need privacy then you shouldn’t be uploading to GitHub in the first place. The moment you do that you’re publishing email addresses, other projects that you contribute too and potentially leaking your timezone by virtue of commit times.

Your SSH public key is really the least of your identifiable information you’d be worried about because that’s the easiest to create a unique key for GitHub.

replies(7): >>29209725 #>>29209781 #>>29209999 #>>29210454 #>>29211406 #>>29212355 #>>29212552 #
throwaway09223 ◴[13 Nov 21 15:34 UTC] No.29210454[source]
"If you need privacy then you shouldn’t be uploading to GitHub in the first place."

Nonsense. Would you say the same thing about a password? Would you make the same comment about a conversation over a messaging service? This is a configuration detail of an account setting -- not a blog post.

Privacy is not binary; there are many shades of grey. It is surprising that this is made public and while it is not necessarily wrong to provide this service (I'm fine with it; I see the utility) it is also reasonable to ask for a way to opt out.

replies(1): >>29210621 #
laumars ◴[13 Nov 21 15:55 UTC] No.29210621[source]
> Would you say the same thing about a password?

Passwords are secrets. Public keys are not. So the comparison doesn’t work.

> Would you make the same comment about a conversation over a messaging service?

If it was a public messaging service like HN, or public comments on Twitter or Facebook, then yes.

> This is a configuration detail of an account setting -- not a blog post.

We could be here all day and night saying what this is or isn’t but it doesn’t address the point I was making. The moment you create a GitHub account you start leaking far more sensitive data than your public keys. Data that is far harder to create anonymously (unlike your SSH keys). Thus if privacy is a concern then you shouldn’t be using GitHub in the first place. Even git version control itself leaks information about you.

> Privacy is not binary; there are many shades of grey.

Ironic you state that when you’re the one applying privacy in a binary way. I’m saying the SSH public keys are a lower risk than other details you share in GitHub. Not that it’s a zero or 100% bad thing, which is the only pidgin holes you’re allowing for this discussion.

> It is surprising that this is made public and while it is not necessarily wrong to provide this service (I'm fine with it; I see the utility) it is also reasonable to ask for a way to opt out.

That’s literally the point I’ve been making.

replies(2): >>29211376 #>>29217443 #
throwaway09223 ◴[14 Nov 21 14:43 UTC] No.29217443[source]
> Passwords are secrets. Public keys are not. So the comparison doesn’t work.

These are not binary attributes. A public key absolutely can be a secret, and in many cases should be.

> If it was a public messaging service like HN, or public comments on Twitter or Facebook, then yes.

You're avoiding the question because in this case it isn't a "public messaging service." It's an attribute of an account configuration.

> Thus if privacy is a concern then you shouldn’t be using GitHub in the first place.

Nonsense. What if I use a private email for my github account? What if I only use private repositories?

You're repeatedly making an error of portraying privacy as black and white and it simply is not.

> I’m saying the SSH public keys are a lower risk than other details you share in GitHub.

No, you made a categorical, absolute statement that "If you need privacy then you shouldn’t be uploading to GitHub in the first place."

This statement is utter nonsense. Now you're just arguing that you didn't say what you actually said.

> That’s literally the point I’ve been making.

No, your statement that we're discussing was "If you need privacy then you shouldn’t be uploading to GitHub in the first place."

This statement is flatly incorrect. Your comments are demonstrably false, and your followups are irrelevant deflections.

replies(1): >>29217698 #
1. laumars ◴[14 Nov 21 15:23 UTC] No.29217698[source]
> You're avoiding the question

I answered your question despite it being a straw man argument.

> No, you made a categorical, absolute statement that "If you need privacy then you shouldn’t be uploading to GitHub in the first place." This statement is utter nonsense.

Thus far all the arguments you’ve made have been either unsubstantiated or straw man.

Take the quote above, you argue it’s nonsense but offer zero evidence to back up that remark.

> Now you're just arguing that you didn't say what you actually said.

You’re changing the subject again instead of providing a counter argument. I’ve made my points clear, with examples as to why I’ve came to that conclusion, and there’s history of our chat in this forum.

This is clear an emotive topic for you but if you want to prove me wrong then please at least stick to the subject.

replies(1): >>29217925 #
2. throwaway09223 ◴[14 Nov 21 15:54 UTC] No.29217925[source]
> I answered your question despite it being a straw man argument.

You didn't, and I think that's all that needs to be said. There's no need to address the rest of your comment. I don't care to engage in whatever it is you're doing.

replies(1): >>29218309 #
3. laumars ◴[14 Nov 21 16:42 UTC] No.29218309[source]
Have a read of the following and then you’ll understand my frustrations conversing with you:

http://www.paulgraham.com/disagree.html

Thus far we’ve seen DH2, DH3 and DH4 but you haven’t yet refuted my central argument (nor even anything close to it) despite posting a multitude of emotionally charged paragraphs.

Now take a look at the discussions I’ve had with others in this thread. They’ve been on topic and informative. Unlike the responses from yourself.

I’m genuinely open to discussion, if you’re genuinely interested in having one.

replies(1): >>29218444 #
4. throwaway09223 ◴[14 Nov 21 16:56 UTC] No.29218444{3}[source]
You've seen only DH6, a direct refutation of your central point which I'll quote for you again: "If you need privacy then you shouldn’t be uploading to GitHub in the first place."

Take another look at your own responses, vis a vis that article. You and I are done here.

replies(1): >>29218627 #
5. laumars ◴[14 Nov 21 17:17 UTC] No.29218627{4}[source]
So you are just trolling me then?

Pity you couldn’t be bothered to hold a proper discussion here because some of your other posts in other threads have been informative. C’est la vie