359 sats \ 4 replies \ @xanny 24 Mar 2023 \ on: GitHub.com posted their RSA SSH key for the world to see - BEWARE bitcoin
Still using RSA in 2023 as well lol.
EdDSA ftw.
Backwards compatibility.
They mentioned their ECDSA and ED25519 key are not affected so they also use them.
Also, this incident has nothing to do with RSA. Could have happened with ECDSA and ED25519, too, no?
reply
Yes the incident is human error, but it reflects poor OPSEC - considering how big GitHub is, how difficult would it be to store their private keys only on Yubikeys or similar airgrapped devices instead of having them stored in plaintext where they can be accidentally copy/pasted? This is literally OPSEC 101 and these guys are owned by one of the biggest tech companies in the world. What else are they dropping the ball on?
Fair play on the backwards compatibility - missed that they also have ECDSA and EdDSA keys as well.
reply
I totally agree with you. I just didn't get what RSA has to do with this lol
reply
RSA is old (literally from 1977!), slow (because huge keys are required to make it non-trivial to brute force), and overall less secure than modern elliptic curve cryptography.
As I said though, I missed that they also have EdDSA and ECDSA keys when I skimmed the article during my lunch break. Since the RSA key is only for backwards compatibility it isn't an issue. Thank you for pointing that out to me.
reply