Skip to content

Commit

Permalink
Erase private keys used during pilot program at La Gomera
Browse files Browse the repository at this point in the history
  • Loading branch information
@iCesofT
iCesofT committed Sep 9, 2020
1 parent 67a4506 commit 2eeab39
Show file tree
Hide file tree
Showing 2 changed files with 0 additions and 56 deletions.
28 changes: 0 additions & 28 deletions app/src/pre/res/raw/sedia_rsa_private_key.txt
View file

This file was deleted.

28 changes: 0 additions & 28 deletions app/src/pro/res/raw/sedia_rsa_private_key.txt
View file

This file was deleted.

11 comments on commit 2eeab39

@MarioVilas
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does not actually delete the key, it's still available in the commits history.

@j-rivero
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does not actually delete the key, it's still available in the commits history.

see #9

@agu-borrego
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤦‍♂️

@lonyelon
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Buena

@enrimr
Copy link

@enrimr enrimr commented on 2eeab39 Sep 10, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To remove files from the git history, there is a very useful command:

git filter-branch --tree-filter 'rm -f <YOUR_FILE>' HEAD

This command will modify the git tree (I think you need to use --force when pushing this changes) so all developers will need to clone again the repository. Keep this in mind and use it with responsibility.

@CristianGM
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's try to make it clear enough.
Once a key has been compromised it doesn't matter if you drop it, rewrite the history or pray to the Saint of your preference. A lot of people already saw the keys, that, bey the way, where in the APK anyway, so it really doesn't matter.

That said, those where public keys from the first versions, they are useless, and nobody should care about it.
No need for heros teaching how to not fix a non-existent issue, thanks.

@catluc
Copy link

@catluc catluc commented on 2eeab39 Sep 10, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's try to make it clear enough.
Once a key has been compromised it doesn't matter if you drop it, rewrite the history or pray to the Saint of your preference. A lot of people already saw the keys, that, bey the way, where in the APK anyway, so it really doesn't matter.

That said, those where public keys from the first versions, they are useless, and nobody should care about it.
No need for heros teaching how to not fix a non-existent issue, thanks.

Ok so you screw basic security things up, and people pointed it out, and it's their fault and not yours.....great job! Bravo, your company should be proud of your work, go ask for a raise and show them this commit! ;)

@MarioVilas
Copy link

@MarioVilas MarioVilas commented on 2eeab39 Sep 10, 2020 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@CristianGM
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@catluc 👏 👏 👏

Please give me your password, and then you can drop the message and rewrite all the internet...
The only safe thing to do is to change your password once it has been exposed.

I don't work at this project, but don't worry about my income, I'm fine.

I'll love to see your open source contributions.

@agu-borrego
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you guys are both making valid points. It's true that those keys are surely useless by now, and they probably were by the time the code was uploaded. But it is also true that including a private key in a repo and therefore in the APK, regardless of their validity, is a security breach that should NOT have happened in the first place.

This is not an amateur dev's pet project, this is a government-sponsored project. It is valid criticism whether the keys were already obsolete or revoked or not.

And please, let's keep this civil and leave personal comments aside.

@LuisMayo
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They were being used during a beta phase to replace the actual server validation

I don't really think it's such a bad practice, maybe they should have actually deleted the keys once the beta finished but it's more a thing of not having unused files more than a bad practises one

Please sign in to comment.