GitHub SSH key is Leaked - How bad is this?
VloĆŸit
- Äas pĆidĂĄn 7. 06. 2024
- GitHub Accidentally Exposed their SSH RSA Private key, this is the message you will get .
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s.
Please contact your system administrator.
Add correct host key in ~/.ssh/known_hosts to get rid of this message.
Host key for github.com has changed and you have requested strict checking.
Host key verification failed.
In this video I discuss how bad is this,.
0:00 Intro
1:10 What happened?
3:00 SSH vs TLS Authentication
6:00 SSH Connect
7:45 How bad is the github leak?
15:00 What should you do?
18:50 Is ECDSA immune?
github.blog/2023-03-23-we-upd...
Fundamentals of Backend Engineering Design patterns udemy course (link redirects to udemy with coupon)
backend.husseinnasser.com
Fundamentals of Networking for Effective Backends udemy course (link redirects to udemy with coupon)
network.husseinnasser.com
Fundamentals of Database Engineering udemy course (link redirects to udemy with coupon)
database.husseinnasser.com
Follow me on Medium
/ membership
Introduction to NGINX (link redirects to udemy with coupon)
nginx.husseinnasser.com
Python on the Backend (link redirects to udemy with coupon)
python.husseinnasser.com
Become a Member on CZcams
/ @hnasr
Buy me a coffee if you liked this
www.buymeacoffee.com/hnasr
Arabic Software Engineering Channel
/ @husseinnasser
đ„ Members Only Content
âą Members-only videos
đ Backend Engineering Videos in Order
backend.husseinnasser.com
đŸ Database Engineering Videos
âą Database Engineering
đïžListen to the Backend Engineering Podcast
husseinnasser.com/podcast
Gears and tools used on the Channel (affiliates)
đŒïž Slides and Thumbnail Design
Canva
partner.canva.com/c/2766475/6...
Stay Awesome,
Hussein - VÄda a technologie
Just a day after Github fired their whole engineering team in India
Modi hai toh mumkin hai
Why did they do that?
Whats worse. Is this is only a part of a whole series of unfortunate events. But id imagine bc they was the Microsoft that took access to my phone chromebook and pc. And nobody would help without me paying them thousands, but ubreakifix was nice enough to put an enterprise chromeOS over top of the corrupted firmware Microsoft did, so I bring it home and still no luck. But I've finally pieced the puzzle fully together. And weird thing is... Microsoft. Verizon, at@t, ubreakifix, and the way cloud storage, and the conflicting and confusing unclear explanations of, do this and I'll explain later, for a price. Tactics. No wonder people lose their minds in this world. They want the money and fame but won't take the blame. But I have about as much evidence as I need so I'll be going and talking to a lawyer about it all. And somebody... will pay for this. One way or another. And it's not me because... I will never stop until they prove me wrong.
Even github is accidentally pushing sensitive material, something really has to be done.
How safe do you want to be? Man-in-the-Middle yourself to check if ure pushing your private keys?
"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." - Franklin from GTA 5
@@yeetyeet7070 Bruh, it wouldn't be that difficult to throw up a little notification saying "Hey dumbass, you're pushing private keys again".
@@acorgiwithacrown467 I meaan, if it was that easy, ppl would be doing it. Also kinda means you need to store all your private keys in one location that is constantly interfacing with other systems. In practice this would probably require management who know how important it is to do this properly, unlikely scenario imo))
something has to be done? humans make mistakes. end of discussion.
@@mishasawangwan6652 In that case remove the humans, problem solved.
"Beefstew" is not a stroganoff password
._.
Clever girl
đ
All your saucy secrets will get leeked.
Huh? Can someone please explain? đ
Thank you for explaining this. That warning scared me for a day or so. Didn't feel like Github did enough to explain or even alert that the issue was on their end...
Thank you very much Hussein. Always explaining simple and clear..
†love you boss, your work keeps inspiring me
Keep in mind that TLS cert authority listed in your browser is only as strong as the weakest managed Cert authority.
And the list of CAs is really small and 100% trustworthy. /s
You mean in a given connection right? Not in general?
@@NapanTR You know how that cute little padlock thing in the address bar works, right? If your connection is "secured" with a key that's been signed by *any* one of the hundreds of CAs marked as a "trusted root authority", the cute padlock shows up.
If you connect to your e-mail provider one day and your government decides to snoop on your connection and sign it with it's own CA, the cute little padlock will show up and you won't even notice, unless the users have been using certificate pinning, then it's obvious to the whole world the kind of shenanigans that's been happening.
But people are forgetful and either don't care or don't understand how any of this works, they see a cute little padlock and think "this is fine"... by the way, that exact scenario happened, too bad for the government in question they weren't expecting that the e-mail provider was also the developer of a popular web browser and decided to silently ship it with certificate pinning enabled for it's services.
But years go by, people forget, and that list of "certificate authorities" never seem to shrink, and browsers, old-fashioned e-mail clients, cool modern mobile apps and other software still won't let you easily (or at all) review how your connection was "secured" and warn you of any suspicious behavior, unless it's either something absolutely egregious or completely mundane (like an expired cert).
â@@NapanTR A CA can issue certs for any domain. You can set up your own CA or authorise your own list of CAs. Web browser developers have their own list of default CAs in their web browsers whose Certs are automatically trusted for any website. Much of the annual admin to show compliance / good practice is self certified by the CAs themselves to those browser devs. There have been occasions I have removed a CA from browser approved CAs. for a variety of reasons or dumped a browser vendor.
@@gcolombelli joke? nothing is 100% trustworthy
That's why I always set my username as my password. Can't steal what you already have. đ
that's a 10x developer move right there
$RILLIANT đ§ đŁ đ đ đ
Important subject to address, thanks!
Why did I forget to sub last time? HERE, take my time!
Our ci/cd broke because of this :(
Hi Hussein, your channel is very rare, there are not so many free reasoning about technology channels, all topics showed very well. But a have questions about async? very difficult to differ async from multithread. For example, if we launch operation in different thread and not wait result in main - so we can tell that it is async, bacause main not blocked. But it is not async because non-main thread is blocked, non-main thread have to be not-blocked too or not. If non-main thread is not blocked so i cant imagine how event loop controls main and another threads. Threre are a lot of such questions. So this is goo idea for video, how mulithreading really diifers from asyn aunder the hood. I mean primarly Java, maybie in JS its som different and more understandable
Great videos Hussein TY.
What I feel would be worse than potentially stealing a git push would be to add malicious code / a malicious commit to a git pull. Next time you push to the legitimate github again after your own repo has been infected with something malicious you're spreading it to all people who use your repository, and if it's done well enough, like by amending a pre-existing commit, you would likely not even notice that something is awry
amending a commit would result in a merge conflict on pull (if you already had the commit) or a non-fast-forward push
@@MatthijsvanDuin Sure, but not every repo has disabled force pushing. Bad practice for sure, but probably normal in more workflows than one might assume.
Naturally there's easy measures to prevent such things, such enforcing signed commits or preventing force pushes, etc. but not everyone uses those
@@insu_na Force-push can be useful and I certainly do use it myself too, but only in cases where I know exactly why I need it. If you're using it just because you got your push rejected then you've probably just destroyed a commit from someone else working on the project.
Hi Hussein, can you make a video explaining: "Internet Computer Protocol (ICP)" ?
What may be the issue if same host public key is used in multiple systems? Thanks.
Couldn't we implement some sort of system into git which checks to see if someone is accidentally pushing a sensitive key? I know we have gitignore but that doesn't solve negligence. If the key never changes, it should be as simple as something to check if the text string exists in the push, and then block the push
this already exists.
Something similar exists, but the specific implementation you're suggesting is a bad idea... You're suggesting to check for a specific string, to do that you'd have to put your sensitive information in your code because you need to know what to check for... And RSA private key is just one secret... You'll check for all different secrets? Well, imagine that part of the code leaks, ALL of your secrets would leak. A better approach is to check if something looks like a secret, if it does warn the user, but still let them push if they really want to.
Someone should create an encryption algorithm where the user provably canât know let alone leak their private key, just use it. It would run in a manner that differs every time so that even stealing the device wouldnât compromise it, and identify who actually is trying to use it at any given time and check their soul to make sure they are both authorised and acting in good faith.
Not possible
I wonder why the ssh protocol doesnât have a similar crl/oscp mechanism like tls. Makes too much sense to have that central authority for veryifing if that key is still valid.
It does. And on DNS
another one.
It does, but no central authority exists for it. The OpenSSH team probably doesn't want to push a provider and probably not all clients/servers support it. StepCA offers a semi automated way of setting it up with your own CA for it and I will say it's useful in an enterprise setting.
A huge concern yet I doubt much actually happened from it. If some one setup and got the key and used it on a large companies local Lan. They probable were ready for it. Otherwise probable no one even tried to use it.
If u have ssh with github.. do you need to change your keys or can your pc can be hacked?
Thank you so much sir
Is it safe to use git with github 11 April 2023? Did they patch the vulnerabity?
Hey I don't know enough about RSA, but would archived/old internet traffic sessions with github be vulnerable to decryption now?
Chat GPT helped me out lol: If an RSA key gets leaked, any past communication that was encrypted using that key is vulnerable to decryption. This is because the RSA algorithm uses public-key cryptography, which means that anyone can use the public key to encrypt a message, but only the owner of the private key can decrypt it.
If the private key is leaked or compromised in some way, an attacker could potentially use it to decrypt any messages that were encrypted using the corresponding public key. This includes not only past communication, but also any future communication that uses the same key pair.
Therefore, if an RSA key gets leaked, it is important to stop using that key pair immediately and generate a new one to ensure the security of future communication. It is also recommended to assess any potential damage that may have been caused by the leak and take appropriate measures to mitigate it.
So maybe all passwords used with archived network sessions could be decrypted, and are insecure now?
I had an rsa key in my .ssh folder but I never got this error. how is that possible?
Did this have anything to do with them laying off their entire developer team in India?
đđ
I really appreciate I got the key and I withdraw my 2BTC
what is wrong with the preview images for chapters in your video, all chapters show same preview image instead of showing preview from that chapter.
I just had my VNC accidentally open for months. It's scary stuff and can open to anyone.
You could argue https is the most secure but also the least secure
The certificate authority check is what makes and breaks it
All that has to happen for it to be broken is someone add their certificate to the trusted root of your device and from there they could intercept a lot
Affects a lot of programs except for programs that pack their own certificate authorities like Flutter based programs
Also Chrome when HSTS is not turned off is safe
This is an integral part to how i reverse engineered API's from apps and programs that use certificate pinning
This means if an attacker can get access to your device either remotely or physically, and run an elevated shell, you could be compromised
"if an attacker can get access to your device either remotely or physically, and run an elevated shell, you could be compromised" is the very definition of being compromised, doesn't have anything to do with https per se.
If someone can access an elevated shell on your server, you can be compromised in literally thousands of ways.
@@B20C0 depends on what you define as an attacker
From the perspective of a backend developer protecting against malicious clients (bots, custom third party clients, etc) the owner of a device could very well be defined as an attacker
@@BRUHItsABunny It doesn't matter what you define as an attacker. KISS:
If someone has access to an elevated shell who shouldn't have, you have to view all systems that the wrongfully elevated user has access to as compromised unless you can VERIFY it's not (for example with filesystem checksums on an external system and other tools).
You can call it an attacker or Bugs Bunny, it doesn't matter.
HTTPS is not technically more secure, it just has a method to revoke keys because it presumes they are going to be leaked. So CRL can be automatically pushed and all the keys are immediately made invalid.
"Also Chrome when HSTS is not turned off is safe"
Its "pointless" safe if the attacker already has root access to inject root certs, they can already turn off HSTS in Chrome if they want.
Or inject any process and do VirtalReadForeignMemory (or whatever that API is called) and read everything decrypted.
đđ I will always tell people's about what you have done for me all thanks very much
Recently some folks from GitHub got fired , what a coincidence !
Oh well that kind of sucks, gotta be really careful with what you push. Always double check the staged changes guys đ
If someone managed to insert an entry to the host file, redirecting to a spoofed GitHub that would also be pretty bad...
even if the github server private key were compromised, the attacker still need your public key in order to decrypt the content. your public key were stored in github when you wanted to setup your ssh configuration before being able to use ssh feature. the problem is if github compromised private keyâs public key is added to its own âknown_hostâ. then good luck to us all connected clients.. which i think itâs quite likely to be hence why they regenerated new key pair.
what do you mean by "the problem is if github compromised private keyâs public key is added to its own âknown_hostâ." I don't undestand that
the attacker wouldnât need your public key stored on github. that key is for authentication purposes. the messages sent from client to server are encrypted using githubâs public key. therefore, yes, the attacker could decrypt it using the leaked private key.
You are right. I forgot that RSA is less secure since it encrypt the message with the recipient public key and recipient only need to decrypt it with its private key.
Compared to - encrypt with both sender private key and recipient public key - and - decrypt with both sender public key and recipient private key.
if someone dns poisons your connection to github then they can supply chain attack you with bad upstream code... but that's it and unless you're like working in a bunker no one would bother and you're probably not pushing to github.
!In Microsoft we trust.
could be related to github india layoff
Oh yeah, I'm definitely thinking the same as well. Former disgruntled employees said fuck it and took them down.
i thought the whole point of RSA keypairs is to not type in any password .. all the attacker's server (from the example) can get, is your public key, which is not a problem. What am i missing? Of course you can set a password on your own private key, but that's handled on the client. That someone can impersonate Github is of course still a nasty thing.
the key issue is the "someone can impersonate github"
what your missing is this: a private key is an identity. it proves who you are. you can think about it like: someone stole your social security number. this is not a perfect example but i hope it gives you an idea.
â@@mishasawangwan6652 yeah but it's not MY private key .. what i mean is, where is the harm for me as a enduser, why should i care? i see no scenario where any attacker can actually do something with it, therefore the question :)
â@@helmchen1239 Technically, you shouldn't. Really, it's just GitHub saying, hey, we changed our private key, if you get the message that says something changed, that's all good and normal.
@@helmchen1239 ah i misread your question. thank you for clarifying. anyway: let's say github's PK remained compromised. what does that mean for you as an enduser? that depends. maybe no impact at all but maybe it means they steal your code, CC or PII etc.. what if you're an enterprise? a bad actor _could_ do this with github's key because this private key is what identifies github as an entity. steal someones identity and.. well.. i think you get it by now :)
ssh should also start supporting certificates similar to https.
Github laid off entire engineer workforce from India. was the team responsible? Or is the new team not good enough ?
Let's be honest. This was on purpose, and was so the government could access all code.
Let's get real. The incentives are so strong that it'd be daft to think otherwise.
bruh the government could just send github an email saying "please send me the contents of mojang/minecraftpe" or whatever
I had to regenerate my keys to connect.
yeah totally like this stuff đ
Vikings use "Norse code" to communicate.
Ok thats enoughđ
@@ttrss đ
Microsoft at it again.
If TLS private key would be pushed it gonna be even bigger disaster, because it's gonna ruin the entire trust chain.
very useful
Twitter, then Facebook and who is next?! Is this an agenda?
what does this mean? do i have to chagne my gh password? im too illiterate,please break it dowm for me.
SSH will forcibly fail if there is a MISMATCH, not just a missing key.
And the guys over SSH protocol keep saying they don't need CRLs and repudiation that TLS has, well, you got owned.
This isn't anything new, it keeps happening over and over again, keys do leak...
I've never trusted the damn thing so this completely predictable error doesn't affect me at all.
sshhh! It's a secret.
That sounds entirely correct and it is terrifying. However, it probably will mean a big spike in available work for security pros. Sounds like I picked an excellent time to start studying for sec+
This is gonna be a headache.
I totally saw this and I ended up making a new key and deleting the old one anyway.
you don't get asked passwords if you connect through ssh
Password authentication is still a thing in SSH. Yes public key authentication is possible but so are other methods. Depending on the server configuration
@github your key leaked
That warning is annoying
Github should have communicated to the users in a better way
Tomorrow and forever
It's fairly simple to replicate this scenario:
1 Ssh to a local host and accept the host key.
2 As root delete all the id_ from /etc/ssh private keys
3 restart sshd
4 logout and try to log back in
let's be real
if you login to github & push stuff to private repos,
are you really going to do it with starbucks wifi, where anyone could be looking at your screen anyway, and the router could be compromised by 1000 different ways?
plenty of people work in starbucks, pushing code to their private repo. However they probably use at least VPN, and if the key wasnât leaked the strick checking would have prevented any man-in-the-middle attack that concerns SSH. Youâd need more than a router to break SSH, for example the ability to run faster than the dev while carrying said devs laptop.
(personal git server)
Is there a way to delete from GitHub?
yes you can git rebase then force push
@@LiEnby so that will remove my .htpasswd from the repo? Cool thanks
I can tell a huuuge and very confusing story that I still don't quite understand fully because nobody will help me lmao. And last time I called for help from what I thought was microsoft. But. Making more and more sense the more I dig. But still don't know linux nor can I get all this shit fixed. :/
So still no actual help for the person effected. They just sit back at watching. It's destroyed my entire network and every computer on it. Had just started to try to learn linux. But now I'm in some type of botnet and still no help. No questions on how i got to this spot. Nothing. So they accidently push their private code TO me. Then I accidently run the script as root. But had to use linux because the ransomware Microsoft group I called way back in January of 2022 took my Microsoft pcs. Nobody would help me back then unless I payed thousands. Find this program MedicatUSB and accidently run that as root because I followed different videos. And it was crammed in my head to run things as root. So basically it's destroyed my entire network and every pc I had and also ruining every PC I go around.
I'm still watching this every day trying to see if anything clicks that hasn't before. And I'm still like. Okay my authorization is still failing because it says self signed certificates. And shows a "intercept.ha" after all of this and I find that Wireshark network and I'm still like.... "how bad IS this..?" When I posted on the github community forums I got blocked. But surely... they see by now I wasn't lying about what I had been saying. Hope nobody else has to go through all this. Because they screwed me over pretty bad. The engineering team that is.
Why are you doing NIKE ads now? I hope you get at least well compensated.
I was working in a new place and I couldn'tt get access to the box for 2 weeks because the admin was putting an extra space in my public key *facepalm*
Classic
This couldn't have come at the worst time for me
I just started a new job
And it keeps breaking npm
@@dr5290 man, that day would be painful
@dr5290 this makes my panic worse đ€Łđ€Ł
It's a 10 second fix...
@1337kaas i know
But it still kept giving me errors
Fixed now though
Dude, no one is using ssh nowadays, that's why the default behavior is https, try to make real content
Are you living under a rock? In many organizations SSH is the norm for git clones. And every Linux remote server is managed through SSH...
@@1337kaas yeah... But this is about just one key, I'm sre, so I know what I'm talking about. Ssh is the norm mostly with self hosted git servers like gitlab, not GitHub. Also, what does every other Linux server has to do with this video? Stay on track dude
@@skeletico well, you're saying nobody is using ssh nowadays which is just not true
"Try to make real content" really? It's a great video with informative content about ssh host keys and you're passing it off as not real content. Have some more respect for the great content you are offered for free of charge.
@@1337kaas yeah, it's sensationalism, I usually think of content like actually proven facts as real content, my bad
I was wondering why I couldn't ssh out of the blue đ