GitHub Updates Security Protocol For Operations Over SSH


The repository hosting service GitHub has announced it is replacing its existing RSA SSH host key with a new one as a precautionary measure after discovering the key was momentarily exposed in a public repository.

“We immediately acted to contain the exposure and began investigating to understand the root cause and impact,” GitHub wrote in an article published on its site earlier today. “We have now completed the key replacement, and users will see the change propagate over the next thirty minutes.”

The company explained the change was made to protect users’ Git operations over SSH, particularly from potential threat actors attempting to impersonate GitHub or eavesdrop on their actions. At the same time, they clarified the move did not stem from a compromise of GitHub systems or customer information.

“Instead, the exposure was the result of what we believe to be an inadvertent publishing of private information,” wrote GitHub CSO, Mike Hanley. “We have no reason to believe that the exposed key was abused and took this action out of an abundance of caution.”

SSH host keys are tokens used to authenticate the server and protect both the confidentiality and integrity of communication between the client and the server.

Read more on SSH keys here: Microsoft Spots Updated Cryptomining Malware Tool Targeting Linux Systems

“This key does not grant access to GitHub’s infrastructure or customer data,” said Hanley. “This change only impacts Git operations over SSH using RSA. Web traffic to and HTTPS Git operations are not affected.”

Further, the company added that only’s RSA SSH key was replaced, while no change is required for ECDSA or Ed25519 users.

The replacement of the GitHub RSA SSH host key comes a couple of months after the company confirmed threat actors stole three digital certificates used for its Desktop and Atom applications.

Editorial image credit: Poetra.RH /

Products You May Like

Articles You May Like

New BrutePrint Attack Lets Attackers Unlock Smartphones with Fingerprint Brute-Force
Serious Security: Verification is vital – examining an OAUTH login bug
Cybercriminals Targeting Apache NiFi Instances for Cryptocurrency Mining
New Botnet Malware ‘Horabot’ Targets Spanish-Speaking Users in Latin America
Serious Security: That KeePass “master password crack”, and what we can learn from it

Leave a Reply

Your email address will not be published. Required fields are marked *