Hacker News new | ask | show | jobs
by boarnoah 1254 days ago
Seems questionable on Github's part to have .keys public by default, why not allow people to opt in ex: keybase.io equivalent?

Yes I get that its not sensitive information, but as this demo demonstrates it can fingerprint people who might not be unaware re: this quirk of SSH's coupled with this part of the Github API.
2 comments
TechBro8615 1254 days ago
If you are SSH'ing into a server you should expect to get fingerprinted.
link
omeid2 1254 days ago
If we are going to stretch "fingerprinting" to authentication, then yes, but fingerprinting here has a very specific meaning.

When I SSH into a server, I want to be "fingerprinted" as far as I share, any Device fingerprinting allowed by SSH is a security risk to the client.

https://en.wikipedia.org/wiki/Device_fingerprint

link
kevincox 1253 days ago
There is a bug difference between being fingerprinted by the server that I am trying to log into and sharing (part of) gbag fingerprint publicly.
link
devmor 1254 days ago
You can't even opt out of it as far as I can tell.
link