auditinggithubsshkeyquality

Auditing GitHub users’ SSH key quality

By Ben Cox

Notes
SSH
SSH key
key revocation
GitHub
public key
github users ssh public keys are public
this is good for sharing keys
collect database of these keys
github SSH mode
poor adoption of SSH mode on github in 2015
RSA, DSA, ed22519
512 bit keys factorable in 3 days
256 bit keys factorable in ~25 minutes
Texas Instruments calculator firmware signing key was broken
2008 Debian OpenSSH bug – randomness source flaw
https://github.com/g0tmi1k/debian-ssh
https://web.archive.org/web/20110723091928/http://digitaloffense.net/tools/debian-openssl/
https://www.itnews.com.au/news/aws-urges-developers-to-scrub-github-of-secret-keys-375785
https://github.com/FiloSottile/whoami.filippo.io

Recent Posts