In a move driven by prudence, GitHub, the cloud-based repository hosting service, has replaced its RSA SSH host key, which is used to ensure the security of Git operations, after it was briefly disclosed in a public repository. The company made this move in order to safeguard its users from any potential security breaches.
As per reports, a security measure was enacted at 05:00 UTC on March 24, 2023, in order to safeguard against any potential threat of impersonation of the service or unauthorized interception of users’ SSH activities. The activity was deemed necessary to ensure the protection of users’ privacy and security.
In a recent blog post, Mike Hanley, the Chief Security Officer and Senior Vice President of Engineering at GitHub, stated that the updated RSA SSH host key will not provide access to GitHub’s infrastructure or customer data. He further clarified that this modification only affects Git operations over SSH that involve RSA.
There will be no effect on Web traffic to GitHub.com and Git actions conducted through HTTPS, despite the recent move. ECDSA or Ed25519 users do not need to make any modifications.
The SSH private key of the company owned by Microsoft was exposed, but the company has assured that no proof suggests that it was utilized by any adversaries. Read more here.
It further emphasized that the “issue was not the result of a compromise of any GitHub systems or customer information.” It blamed it on an “inadvertent publishing of private information.”
The article has highlighted that individuals who utilize GitHub Actions may encounter unsuccessful workflow runs if they have incorporated the ssh-key option while using actions/checkout. The article has also stated that the GitHub team is currently in the process of updating the action across all tags to address this issue. For more information on this topic, please refer to the actions/checkout hyperlink.
Almost eight weeks following GitHub’s announcement of the theft of encrypted code signing certificates for certain versions of Mac’s GitHub Desktop and Atom apps by unknown threat actors, the company has finally disclosed additional details.