Tell HN: GitHub Apps – Private key is not private
github.comWhen you create an app in GitHub - you are required to create a private key so that you can sign requests on behalf of your app.
Sounds reasonable.
However... to create the private key, they require you to download the private key from them. Which means they have it. So ANY APP on GitHub can be impersonated by GitHub as they have the key material for every app... so what is the point?
Am I losing my mind?
edit: i can't edit the link - it should be https://github.com/settings/apps
Well, first of all, them giving you the key doesn't prove they kept it. From all I know, it is discarded, not stored.
But even if they do keep it, github owns their own platform. If they wanted to do shit with your app, they wouldn't need the key for that, they could just skip any security that required the key. At some point, you either trust github to securely host your stuff, or you don't.
In any case, keys are for protection from 3rd parties and an audit trail of who did what, neither of which are invalidated by github having access to their own platform.
Hmm, not sure - the entire point of this sort of thing is that nobody should ever have your private key material. Whether they say they discard it is immaterial, they have had it, so they could use it, and then as far as everyone is concerned, they are you.
Because the key is sent via the web, anyone in the way can see it. In lots of companies, trusts are manipulated so that the content is visible to intermediate proxies.
With a private key that has been given to you by somebody else, it is possible to repudiate any transaction that was made with the key. Its not so much as they could skip any security - its that if they have the key, they don't have to.
keys are protection from anyone, and an audit trail isn't useful when its possible to forge/repudiate literally anything.
imagine if your card pin was also written down in the card factory - you'd be suspicious that anyone can withdraw money from your account - and the bank would say 'ah but only you know it'. In fact this did happen - the bank was only issuing 3 different pin numbers.
>Well, first of all, them giving you the key doesn't prove they kept it. From all I know, it is discarded, not stored.
Intelligence community has a maxim: evaluate adversaries on capabilities, not feelings. If you get the key from GitHub, they have the capability to escrow it. This violates the security model. End of story. Trust is a feeling, not an objective guarantee.
>But even if they do keep it, github owns their own platform. If they wanted to do shit with your app, they wouldn't need the key for that, they could just skip any security that required the key. At some point, you either trust github to securely host your stuff, or you don't.
Your "trusting" in this instance has no bearing on the security of the system. It is insecure by definition. The "Trust" you are speaking of is the same "Trust" the finance bros seek to cultivate at all costs. Which is the subjective freedom from aversion of making one's resources available to them to capitalize on.
>In any case, keys are for protection from 3rd parties and an audit trail of who did what, neither of which are invalidated by github having access to their own platform.
It is invalidated. All GitHub needs is a public key. The one and only reason to have the private key, is to be able to sign in the author's stead, which pops open the Pandora's box of malicious shadow modification; especially if all infra to do so is also hosted by GitHub as well. The private key is forbidden knowledge. The mere fact of having it taints the ultimate intentionality of the system. If it were truly meant for security, GH would never ever see the private side of that keypair.
Objective capabilities. Not feelings.