Categories: SecurityWorkspace

GitHub Goons Give Away Private Encryption Keys

Some coders don’t seem to have grasped the nature of public-private key encryption, publicly posting private keys on the hugely popular GitHub open source website.

Public key infrastructure (PKI), or asymmetric encryption, sees one person keep a private key, which they should never give away if they want to keep their messages secret. A public key is made available to those people who the private key owner is happy to speak to. The private key can unlock all messages sent using the encryption method, so it’s pretty important that the key is kept safe.

GitHub member gaffes

But a host of posts on GitHub contained those private keys. Even when the search function was removed from GitHub, Google searches could easily retrieve them.

The problems came to light after Stackoverflow co-founder Jeff Atwood posted a link to a search which brought up cases where PKI, purportedly secure communications were set up on GitHub, and where private keys were mistakenly revealed rather than the public one.

Sophos, a UK security firm keeping an eye on the situation, noted how many software programs actually tell users which keys are public and which are private, so mistakes such as these should not be made.

“For all the software you’re likely to use, such as OpenSSH, OpenSSL and GPG, private keys are labelled with the text PRIVATE KEY,” wrote Sophos’ Paul Ducklin, in a blog post.

“And that’s the one you’re supposed to keep private!”

Meanwhile, the GitHub search function remains down. “The search cluster has recovered, but we are keeping it offline while we perform some additional maintenance,” a message on the GitHub status page read.

How well do you know Internet security? Try our quiz and find out!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Norway Hit By DDoS Cyber Attacks From Pro Russian Group

Norwegian national security agency warns pro-Russian group has targetted private and public institutions in Norway…

16 hours ago

Google Tells Staff They Can Relocate After Roe v Wade Ending

After US Supreme Court last week removed women's reproduction rights, Google tells staff they can…

17 hours ago

Taiwan Developing Own Digital Currency – Report

Central bank of Taiwan confirms it is still working on its digital currency, but has…

18 hours ago

Tesla Cuts 200 Autopilot Jobs, Closes San Mateo Office – Report

More restructuring at Tesla with hundreds of bob losses and California office closure, where staff…

20 hours ago

US FCC Commissioner Urges Apple, Google To Remove TikTok

Fresh worry for TikTok, after FCC Commissioner writes to Apple and Google about removing the…

21 hours ago

Airbnb Permanently Bans Parties, With Few Exceptions

Victory for irate neighbours? Airbnb confirms its temporary Covid ban on parties in its listings…

21 hours ago