[marcos123]

I think it is more like a bank making a diagram of the lock used on each customer's safety deposit box and posting that up on the internet.

I don't see any good reason to put everyone's public key out in the open. Is there any possible way that hiding the keys would hurt github's profits?

[Karunamon]

That is a truly awful analogy.

The entire point of PKI is that the public key is meant to be public. The impact on your security if a properly-created public key gets out is absolutely nil. I don't see any reason to hide them, save for an irrational belief that only comes from not knowing how the math works.

[schoen]

Noted upthread: there are some noncryptographic threats about revealing the identity of anonymous users, and conceivably giving people information about which devices to steal in order to impersonate that developer. (The second is mitigated a bit by stripping the comments, but is still conceivably a source of information.)

[baby]

How is a public key revealing your identity? You can generate as many pair as you want. If you want your identity on github to be masked just generate a key specifically for github

[Tharkun]

This is all fine and well if you know that github exposes your keys. Which, at least wheb I added my keys, was not mentioned in a big, red button in the key dialog. Maybe I trusted GH too much by not creating a separate key pair for them. But information about me is being leaked without my knowledge, and that's wrong.

[schoen]

Yes, I for one didn't know that GitHub did this. If I had had a pseudonymous account that I trusted GitHub to protect, it would have exposed my identity because I wouldn't have realized it was important to make separate SSH keys.

Edit: Elsewhere commenters say GitHub wouldn't have allowed this for a different policy reason, so this problem couldn't actually come to pass.

[c22]

Shrug, I didn't know github did this till I read this thread, but I feel neither insecure nor compelled to change anything in response to the news.

[baby]

It's not called a "public" key for nothing.

[c22]

I would trust a bank who published their lock diagrams (or at least provided them to me on request) more than one that shrouded their security in secrecy. If I can look at the bank's diagrams I can verify that the lock has no obvious weaknesses, I can show the diagrams to my friends and through analysis we can determine if the lock seems secure enough for my needs. If the workings of the bank's vault are opaque to me the bank could easily be locking my safety deposit box with a twist-tie as a cost cutting measure.