GitHub Goons Give Away Private Encryption Keys

Some coders don’t seem to have grasped the nature of public-private key encryption, publicly posting private keys on the hugely popular GitHub open source website.

Public key infrastructure (PKI), or asymmetric encryption, sees one person keep a private key, which they should never give away if they want to keep their messages secret. A public key is made available to those people who the private key owner is happy to speak to. The private key can unlock all messages sent using the encryption method, so it’s pretty important that the key is kept safe.

GitHub member gaffes

But a host of posts on GitHub contained those private keys. Even when the search function was removed from GitHub, Google searches could easily retrieve them.

The problems came to light after Stackoverflow co-founder Jeff Atwood posted a link to a search which brought up cases where PKI, purportedly secure communications were set up on GitHub, and where private keys were mistakenly revealed rather than the public one.

Sophos, a UK security firm keeping an eye on the situation, noted how many software programs actually tell users which keys are public and which are private, so mistakes such as these should not be made.

“For all the software you’re likely to use, such as OpenSSH, OpenSSL and GPG, private keys are labelled with the text PRIVATE KEY,” wrote Sophos’ Paul Ducklin, in a blog post.

“And that’s the one you’re supposed to keep private!”

Meanwhile, the GitHub search function remains down. “The search cluster has recovered, but we are keeping it offline while we perform some additional maintenance,” a message on the GitHub status page read.

How well do you know Internet security? Try our quiz and find out!