[defanor]

Here are the expected fingerprints (since they don't publish those via SSHFP RRs): https://docs.github.com/en/authentication/keeping-your-accou...

    SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s (RSA)
    SHA256:br9IjFspm1vxR3iA35FWE+4VTyz1hYVLIE2t1/CeyWQ (DSA - deprecated)
    SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM (ECDSA)
    SHA256:+DiY3wvvV6TuJJhbpZisF/zLDA0zPMSvHdkr4UvCOqU (Ed25519)

[cwillu]

Note the MITM here :)

We humans really aren't cut out for this, are we.

[defanor]

Indeed, at least for verification. I didn't mean for HN users to trust those, but perhaps should have warned about it: copied the fingerprints primarily for people searching on this page, so that they can follow the link to GitHub (and rely on PKIX to build a trust chain). I did `ssh-keygen -R github.com` myself, and saw the ECDSA key's fingerprint while connecting (which wasn't mentioned in the linked post, and wasn't on this page either), so figured it would be somewhat helpful for others following the same route.

[darthrupert]

What MITM? What are you talking about?

[fulafel]

The poster of the fingerprints is in the middle, you are not getting them from GH if you use them instead of going to the linked page.

[coryfklein]

Why downvote this person! The parent post left plenty of ambiguity in their comment. Are they saying that an actual MITM attack is happening? That the fingerprints shared are actually the wrong ones?

Generally speaking, one would not consider an internet comment directing folks to GitHub's actual SSH fingerprints a "man in the middle" as the phrase in this context usually has a negative implication, where in this case defanor is in fact simply mirroring the actual information that GitHub has officially posted in a way that is much more helpful than yetanotherjosh's "double check it is the expected value". For most of us idiots, we don't know what the expected value is!

So thank you defanor for sharing, and thank you darthrupert for asking for clarification. Y'all contributed to educating myself and others and now we know more because of it.

[darthrupert]

Ah, okay. I thought this was obvious that the keys in the comment were just for show, and if anyone would need the actual keys, they would be looked via the GH link anyway.

Good clarifications everywhere, yes.

[nicky0]

If someone wanted to trick HN users into trusting a phoney key, one way to do that would be to post the phoney fingerprint on HN claiming it to be the real one.

[misnome]

I mean, yes, but you'd also have to have a way to actually MITM the person you are targeting via HN comment, before anyone pointed out it was wrong. It'd be much easier to just use the MITM you already have and not raise the suspicion of posting in a comment.

[nicky0]

Don't overthink this.

[pferde]

And if someone would actually fall for this, they deserve to be fired, and/or never allowed anywhere near anything related to computer security. :)

[iso1631]

And within a few seconds someone will have called this out in a reply

[macintux]

Assuming the person doesn’t have some back door access to HN as well.

[detrites]

Or they don't simply wait a while and edit it when it's not under high scrutiny.

[vxNsr]

This is literally a man in the middle between you and GitHub.

[cesarb]

On the other hand, this is a nice TOFU-style double check. The first time HN user "defanor" went to that page, these were the fingerprints; if later someone somehow invades the github documentation server (or somehow MITMs your HTTPS connection to it), and changes the fingerprints there, they will no longer match the ones saved in the comment above.

[NelsonMinar]

Well, "defanor" says these were the fingerprints. Perhaps they are the MITM.

(Not genuinely concerned about this risk, but "Reflections on Trusting Trust" reverberates.)