~vac

https://blog.vac.fun

question = ( to ) ? be : ! be

Recent activity

Re: meta.sr.ht/keys should not expose comment to public 1 year, 7 months ago

From vac to ~sircmpwn/sr.ht-discuss

I have removed the comments (and also the displayed titles) from my keys.

Even email address is not considered private on SourceHut, SSH public key comment can still be sensitive.

The default comment generated by `ssh-keygen` is $USER@$HOST, which means some users would expose some kind of login_user+device map without even realizing that.

I suggest adding some reminder in meta.sr.ht/keys saying the comment/title will be public.

-------- Original Message --------
On Jun 17, 2023, 16:34, Drew DeVault < sir@cmpwn.com> wrote:

> 
> I do not consider this a flaw, you can remove the comment yourself if you so desire and your email address is not considered private on SourceHut.

meta.sr.ht/keys should not expose comment to public 1 year, 7 months ago

From vac to ~sircmpwn/sr.ht-discuss

hi,

I notice that user ssh public keys like https://meta.sr.ht/~sircmpwn.keys will expose comment to the public.

I think it's a potential privacy leak if the comment contains sensitive information, i.e. email address.

P.S.

github.com doesn't expose ssh public key comment to the public:

https://github.com/torvalds.keys

Best Regards.