1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Users with weak SSH keys had access to GitHub repositories for popular projects

Discussion in 'Network World' started by RSS, Jun 3, 2015.

  1. RSS

    RSS New Member Member

    A number of high-profile source-code repositories hosted on GitHub could have been modified using weak SSH authentication keys, a security researcher has warned.

    The potentially vulnerable repositories include those of music streaming service Spotify, the Russian Internet company Yandex, the U.K. government and the Django Web application framework.

    Earlier this year, researcher Ben Cox collected the public SSH (Secure Shell) keys of users with access to GitHub-hosted repositories by using one of the platform’s features. After an analysis, he found that the corresponding private keys could be easily recovered for many of them.

    The SSH protocol uses public-key cryptography, which means that authenticating users and encrypting their connections requires a private-public key pair. The server configured to accept SSH connections from users needs to know their respective public keys and the users need to have the corresponding private keys.

    To read this article in full or to leave a comment, please click here

    Continue reading...

Share This Page