| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by nixpulvis 1688 days ago
	I'm sorry, what?! All private keys are sensitve. Please be more spesific.

3 comments

riverdroid 1688 days ago

If you search GitHub, you can find ~4M results for PEM private keys: https://github.com/search?q=PRIVATE+KEY-----&type=Code

Many are for tests and don't go to anything. Some go to really important things though, even among the test keys, and this tool tells you that instantly for billions of keys.

xssoauth 1688 days ago

Here's a key I just made, why's it sensitive?

-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEA2PwvBhXWsPN59WKtqJvXmpbYXQ50zQ1X1MAhrXAOA2UVGxFr4cNz AAWv8cef4/vLDglZu2vBHJtSdijmKBomK5g7rsdgavzuA2nWpLsscL7MeSAZNtvX1DzJzj vBaV1zPuPTaOC/hvrbmr7ZqwaM+UQbUfzRg34rPhDFAfscdlrNCi8w3EuVgFEA6txvjD03 Jqf/STGKU3SC9KIP0ah9BELuBURivf+IsuH7bx9COcWEp6hWjNQhOoTly1AgpTaMQfF8wP bxmJn5Mu5CUzMdhmjuizZwpJH2dtEfWrYet8CIWooHPqXjB1Vo1UJN4MPsv35XmtAW668R pC09J4W+uPC5AblJ/Uv+pbWyuGXY6lzvXrHVXVWedBMLa7gYcGbcdq8XgAOBW0dO7NGHc8 lM7Wz+sl8wehtwusG1sPDEwQbDv9sXHphZI5N9guqGod1sE4p6ryB+LKDl7C3ghXfof+0E INPADPjd4tBDDv/gEbQ3+XXEp9KCZBTAiJwIaDIfAAAFmLGPMguxjzILAAAAB3NzaC1yc2 EAAAGBANj8LwYV1rDzefViraib15qW2F0OdM0NV9TAIa1wDgNlFRsRa+HDcwAFr/HHn+P7 yw4JWbtrwRybUnYo5igaJiuYO67HYGr87gNp1qS7LHC+zHkgGTbb19Q8yc47wWldcz7j02 jgv4b625q+2asGjPlEG1H80YN+Kz4QxQH7HHZazQovMNxLlYBRAOrcb4w9Nyan/0kxilN0 gvSiD9GofQRC7gVEYr3/iLLh+28fQjnFhKeoVozUITqE5ctQIKU2jEHxfMD28ZiZ+TLuQl MzHYZo7os2cKSR9nbRH1q2HrfAiFqKBz6l4wdVaNVCTeDD7L9+V5rQFuuvEaQtPSeFvrjw uQG5Sf1L/qW1srhl2Opc716x1V1VnnQTC2u4GHBm3HavF4ADgVtHTuzRh3PJTO1s/rJfMH obcLrBtbDwxMEGw7/bFx6YWSOTfYLqhqHdbBOKeq8gfiyg5ewt4IV36H/tBCDTwAz43eLQ Qw7/4BG0N/l1xKfSgmQUwIicCGgyHwAAAAMBAAEAAAGAR5q4/d4ZEh3W4kZlHl4HQUmELv lFTCGaGWgp9O0kgrRJybvvCPqRqbE2xafluLtv37rwNKwzdvg+tyV6BkPS0tIS5/N9evDq ro+vuH7YBIDCQzp3d6YGzFAfHIKVqeqfzGIsctCwA6Am9iMC+7BWty9lgKHYlfb92CZ6jN PMKbZ/MVwvWJNMy6JvlhGWcgYFfCk2UnYZur6ZNJeCduKOFujrWSufFioMd1OhwKLlHOF0 jEs9/I1IReJzXqubikm8VbsLia8mfZEfox98SM1nbmVRoTYy00s283be6T0b834iCMOIid 18j7t1lMPcZAi4ZsWfA5YJ2HaWD/vnfzLjcYsnP1/uleNoAmzkSY7LncQaDo6rHfvJZRBe tqYr8rVE3AiWq/OSxoSLw78Bbw1BNbXcdtMIbsAg2AoxYjzHcigS0Swk1lHTVdwq1dEDv2 7nIdjSwoNQdVG9UAr4+C6ASYUd1+l8Idfrg1bBr8gJOOYb1fo/3Km182cOeqyKk46BAAAA wEnCOseDS5nB6Vikw+w830+bhby68cEicNoQm5AljMz/jdc8sIedItZhzrQdyWLrdtwSES 8JIBFI3JYpLZlz3s0y0f4iTNgtUruQIND3J+Msh+vYVbpb6hPVqboV7DK7dgb7gsZCAFSu gdgQk+e/bsCzrJiqp4BSBNbuzqUt5M5/81CD9+UG3nSXEHqmOXzPvF/wmIqeR2P7v1dXpK vsP4vRo7Vy/7odWFz36rgwcFGsx6xmbSP8zXAVxg7bTwa+2wAAAMEA7eFjevAsGSZLQF/x rYvhwkGdC4RSUJh6jPOI8vmM3kcvnduiHTHNQOdD1UkJbU3GjCRf/14yPWFf5K54auqoXP b9Ip0NKAAVqw4kJhdViDTSJQ0XLmL+a5S2jxvPzp3TLg/d/iAMVviliQCd1ybzyIGwNj4t PPJ5outWwXqWq6BynsSqTpR15r+LNaLDrBc5MqnCi4nA56CeQK6nAOXS1xx8bxnFpGKwYj YXAt3gHRMHdxoMj24xoTZejIhulxpBAAAAwQDpg1dTm3RkyZ00++jVK78c0Otcx0tl0AEM d6d5E+CqU3Y5b+RNpBFDOmOjkYOFJQ9rlsndyn0QsCAD6ex17xxqLETL3HK9w7nYkKHHGV bPbYpj+eD9CzraDztFEuhZzTVBN/AfggF/d9DW3/2mvCBQnuh9GwUiqXwjvrormpIkmqki hTU7arJRm5sQHrpHN6Bl2A8pO/YXfDrpggeoibLLzNUkzW0I4ifUT4oD8eHUv6At0SgNGr ecrqg6nIpwdF8AAAAgZmxvd2VyQGZsb3dlcnMtTWFjQm9vay1Qcm8ubG9jYWwBAgM= -----END OPENSSH PRIVATE KEY-----

iso1210 1688 days ago

The public key can be derived from the private key

They then check both certificate transparency to see if the public key matches any certificates that have been generated, and to see if it's used by a github user (will this public key let me in to a github repo)

If neither, then it's not sensitive (well it might be, but only like finding a key on the floor in the street is -- won't do you much good without knowing where you can use it)

In the first case, if you have the private key, you can spoof the website

In the second case, if you have the private key, you not only have push access to the repos that user has (which could be quite wide ranging), but also you're likely able to get into many servers via SSH, as developers tend to use the same ssh key for github and for server access

What their latest software does is take your key and check it against these sources,

Now private keys have a further layer of protection - the passphrase. Turns out the majority of passphrases belonging to the leaked private keys are trivial ones.

Many leaked keys will unlikely to be used anywhere, but it turns out many more are.

dilyevsky 1688 days ago

Do you have a hackerone account? i need to collect my bounty

marginalia_nu 1688 days ago

No, file it with ycombinator. Say you've found a private key accessible from their web server.

aetherspawn 1688 days ago

About as sensitive as a lock/key that I buy from the supermarket and sits in a drawer never used, sure.