|
Post by Lee Sharp on Jan 16, 2016 15:30:45 GMT
A few people have asked my why the svn is not on github or something similar. I usually answer with stories about trust, and what happened to codespaces. I mean, this is a SECURITY project, right? But today, I saw this... ssh whoami.filippo.io Try it. If you are on github, you will be quite startled! Not saying it is only a repository thing... It has me seriously considering how I use SSH keys now.
|
|
|
Post by R on Jan 20, 2016 17:36:44 GMT
I am concerned by the privacy issue, but not the security issue.
I fail to see the big security problem in public keys being public, collected and be included in a directory service. In a sense, one could say that github here takes on the role of a trusted third party. They confirm that your private key belongs to you. All PKI systems need such a third party and since we in this context generate the key pair ourselves there are no CA. Surely, it is a good design choise that github gives us the possibility to verify source code as being signed by original author.
I do see a privacy issue with ssh here, I did not know that upon a anonymous connection to a server ssh would try to reveal my identity. However, it kind of makes sense, it normally is followed by an authentication that would reveal my identity. Now I do try to protect my identity, I do not see the need to present myself fully just because we have a causual interaction on the commuter train or discuss an interresting issue on a forum like this.
R
|
|
|
Post by Lee Sharp on Jan 20, 2016 20:11:20 GMT
The problem I have with cloud is that you no longer have control. They can share your data, delete your data, corrupt your data, allow a third parts (government agency) to modify your data... That said, I use some cloud. This forum for example. But the source code and signing keys are NOT in the cloud anywhere! They are in my possession and control. As for github specifically, I was not aware they were confirming identities. I bet a lot of other people were not as well.
|
|