Our great sponsors
-
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
-
-
keybase-issues
A single repo for managing publicly recognized issues with the keybase client, installer, and website.
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
It continues to amaze me that ssh still does not use https PKI and relies on developer manually checking fingerprint (which he supposedly does in a hard-to-google location and realistically he does not check anything). So much care and work went to implement web security and developers still basically live in a self-signed world.
At least put your key to https://github.com/.well-known/ssh/ed25519.pub so I don't need to Google it... And may be some day ssh will support it natively. Someone need to act first.
I just tested it and looked at the code briefly; the client fortunately does seem to remove all keys not provided by the server: https://github.com/openssh/openssh-portable/blob/36c6c3eff5e...
It seems like at least a `known_hosts` compromise would be "self-healing" after connecting to the legitimate github.com server once.
> - Most users don't password protect their SSH keys, but they often have a password manager with a master password that they can keep HTTPS token in.
Are there password managers that actually seamlessly do that? GitHub's official docs (https://docs.github.com/en/authentication/keeping-your-accou...) for example recommends using the GitHub CLI to cache your authentication token for you and as far as I can tell the token is stored unencrypted (https://github.com/cli/cli/issues/1773). If you don't do this you have to enter your password every single time you use you Git, which is not good even if you have a password manager (it adds steps, and passwords aren't great to begin with because you send them in plain text to the server and it is why Apple etc are moving away from password-based authentication for websites).
> - Nobody ever commits a private TLS key to a GitHub repo, but apparently they do with SSH private keys...
I think the key issue here is this really shouldn't have happened. There is no reason why GitHub couldn't secure their SSH private key just like their TLS key.
https://github.com/keybase/keybase-issues/issues/2963
- "Overview of Certification Systems: X.509, CA, PGP and SKIP"
...
- k8s docker vault secrets [owasp, inurl:awesome] https://www.google.com/search?q=k8s+docker+vault+secrets+owa... https://github.com/gites/awesome-vault-tools
- Why secrets shouldn't be passed in $ENVIRONMENT variables; though e.g. the "12 Factor App" pattern advises to parametrize applications mostly with environment variables that show in /proc/pid/environ but not /proc/pid/cmdline
W3C DID supports GPG proofs and revocation IIRC:
"9.6 Key and Signature Expiration"
https://github.com/keybase/keybase-issues/issues/2963
- "Overview of Certification Systems: X.509, CA, PGP and SKIP"
...
- k8s docker vault secrets [owasp, inurl:awesome] https://www.google.com/search?q=k8s+docker+vault+secrets+owa... https://github.com/gites/awesome-vault-tools
- Why secrets shouldn't be passed in $ENVIRONMENT variables; though e.g. the "12 Factor App" pattern advises to parametrize applications mostly with environment variables that show in /proc/pid/environ but not /proc/pid/cmdline
W3C DID supports GPG proofs and revocation IIRC:
"9.6 Key and Signature Expiration"
https://www.w3.org/TR/did-core/#key-and-signature-expiration
"9.8 Verification Method Revocation" https://www.w3.org/TR/did-core/#verification-method-revocati...
Blockerts is built upon W3C DID and W3C Verified Credentials, W3C Linked Data Signatures, and Merkel trees (and JSON-LD). From the Blockerts FAQ
Disclaimer: I am the author and maintainer of github-keygen
[1]: https://github.com/dolmen/github-keygen/