Skip to content

Security: Heartbleed vulnerability

On April 7, 2014 information was released about a new vulnerability (CVE-2014-0160) in OpenSSL, the cryptography library that powers the vast majority of private communication across the Internet. This library is key for maintaining privacy between servers and clients, and confirming that Internet servers are who they say they are.

This vulnerability, known as Heartbleed, would allow an attacker to steal the keys that protect communication, user passwords, even the system memory of a vulnerable server. This represents a major risk to large portions of private traffic on the Internet, including github.com.

Note: GitHub Enterprise servers are not affected by this vulnerability. They run an older OpenSSL version which is not vulnerable to the attack.

As of right now, we have no indication that the attack has been used against github.com. That said, the nature of the attack makes it hard to detect so we're proceeding with a high level of caution.

What is GitHub doing about this?

UPDATE: 2014-04-08 16:00 PST - All browser sessions that were active prior to the vulnerability being addressed have been reset. See below for more info.

We've completed a number of measures already and continue to work the issue.

  1. We've patched all our systems using the newer, protected versions of OpenSSL. We started upgrading yesterday after the vulnerability became public and completed the roll out today. We are also working with our providers to make sure they're upgrading their systems to minimize GitHub's exposure.

  2. We've recreated and redeployed new SSL keys and reset internal credentials. We have also revoked our older certs just to be safe.

  3. We've forcibly reset all browser sessions that were active prior to the vulnerability being addressed on our servers. You may have been logged out and have to log back into GitHub. This was a proactive measure to defend against potential session hijacking attacks that may have taken place while the vulnerability was open.

Prior to this incident, GitHub made a number of enhancement to mitigate attacks like this. We deployed Perfect Forward Secrecy at the end of last year, which makes it impossible to use stolen encryption keys to read old encrypted communication. We are working to find more opportunities like this.

What should you do about Heartbleed right now?

Right now, GitHub has no indication that the vulnerability has been used outside of testing scenarios. However, out of an abundance of caution, you can:

  1. Change your GitHub password. Be sure your password is strong; for more information, see What is a strong password?
  2. Enable Two-Factor Authentication.
  3. Revoke and recreate personal access and application tokens.

Stay tuned

GitHub works hard to keep your code safe. We are continuing to respond to this vulnerability and will post updates as things progress. For more information as it's available, keep an eye on Twitter or the GitHub Blog.

Switch your picture with ease

Good news, everyone! Changing your public profile picture just got easier.

  1. Click the "Account Settings" icon in the header.
  2. Upload a picture of your awesome new haircut.
  3. Crop the picture and save it.

your_profile

You can keep using Gravatar; we just want to make it easier to update when the time comes to rebrand yourself.

Showcasing interesting projects in Explore

explore

We love watching trending repositories on GitHub every day. All kinds of interesting projects bubble up and there is always something new to catch your eye. We want to collect repositories we find interesting into categories for you.

Showcases are a new way to discover related repositories on GitHub. We take the most interesting trending repositories and curate lists to explore by topic. A lot like the staff shelf at your local book store.

On a showcase page, you'll find the full list of repositories that we're showcasing, including why we think they're special. On the right you will have a place to search all showcases, view related showcases, and any newly created showcases.

You can browse the showcase listing page to read through them all. You can also subscribe to the atom feed and stay up-to-date.

Thanks for reading and happy Exploring! :telescope:

Repository metadata and plugin support for GitHub Pages

We've added several commonly requested features, making GitHub Pages an even better place to host websites for you and your projects.

Repository metadata

First, Jekyll sites on GitHub Pages now have access to some useful repository information such as the latest SHA1; the project title, owner, and description; common URLs like the download and clone URL; and the exact version of various dependencies used to build your site like Jekyll or Ruby.

Within pages and posts, repository information is available within the site.github namespace, and can be displayed, for example, using {{ site.github.project_title }}.

See the project metadata documentation for the complete list.

@mentions, emoji, and redirects

Second, GitHub Pages now supports three Jekyll plugins:

  • Jemoji and jekyll-mentions enable emoji and @mentions in your Jekyll posts and pages to work just like you'd expect when interacting with a repository on GitHub.com.

  • Jekyll-redirect-from provides an easy way to redirect visitors to the proper url when the filename changes for a post or a page.

For more information on using plugins with GitHub Pages, see the GitHub Pages plugin documentation.

Happy documenting!

Use all your favorite tools with GitHub

To build and ship great software, you need to use the best tools available. From homegrown systems to third-party applications, integrating those tools with GitHub means better collaboration around projects, higher code quality, automated testing, easy deployments, and streamlined production operations.

Today there are thousands of applications and services that work with GitHub. Tools like Asana help you and your team stay on top of recent code changes by linking GitHub commits and issues to relevant project tasks. Services like CircleCI and Code Climate integrate with GitHub to test the quality of your code. You can even deploy code from a GitHub repository to services like Heroku and Amazon Web Services.

integrators

Integrations like these help improve testing at Airbnb, track code review at Harry's, and support continuous integration at Infinum. Do you have a favorite application or service that helps you and your team write code? Chances are it works with GitHub already. Check out some of the most popular tools that work with GitHub to help you build better software. Don't see your favorite integration? Let us know!

showcase

Announcing the GitHub Developer Program

Whether you're just getting started or have been building applications on the GitHub API for years, the GitHub Developer Program is all about making sure you have the right resources to build the best possible integrations for our incredible community.

Providing developers with a great API has always been an important part of GitHub. Over time, the API we've offered has evolved – adding increased flexibility, greater capabilities, and more endpoints. Launching the Developer Program today represents the next chapter in this story.

Developer Program

By joining the Developer Program, you'll receive ongoing notifications about changes to our API. You'll be eligible to receive early access on select feature releases, and can request a development license for GitHub Enterprise. You can also submit your work for consideration on the integrations page.

Visit our developer website to learn more about the program and to register as a member.

Webhooks level up

Webhooks are by far our most widely adopted integration, but they've always been buried in a big list of external services. Today, we're making some major improvements in the way you configure, customize, and debug your webhooks.

First, webhooks are a lot more prominent in your repository settings page.

webhooks

You can now configure webhooks directly in your repository settings, instead of having to use the API. You can also choose specific events and a payload format (JSON!).

new webhook

Once you've configured a hook, the new deliveries section helps you track, troubleshoot, and re-send a webhook event payload.

deliveries

If you've never used webhooks, we've even got a brand new guide to help you get started. Happy integrating! :sparkles:

People you know

When I discover a new project on GitHub, perhaps on Explore, I often wonder if any of my friends already know about it. People you know lets you see how many people you follow have starred that repository.

stargazers you know that starred drone/drone

You can also see when someone is following or being followed by other people you know.

Diffable, more customizable maps

We're excited to announce two improvements to mapping on GitHub today: diffs and feature-level customizations.

Visualizing changes over time

We added the ability to visualize geospatial data to GitHub last summer, but the true value of version control comes not from where your information is now, but how it's changed over time, and where others propose it should be.

Starting today, any time you view a commit or pull request on GitHub that includes geodata, we'll render a visual representation of what was changed. For example, here's a diff of Illinois's famed 4th congressional district after undergoing redistricting in 2011:

Illinois 4th Congressional district

We'll even diff properties within the geometry when they change:

Updating a property

Customizable maps

We've also made some changes under the hood to make mapping geoJSON files on GitHub faster and more customizable.

In addition to more-responsive, retina-ready maps, you can now customize individual features by specifying properties such as the fill color or opacity within the geoJSON file itself like the National Park Service did here:

simple style spec

We've implemented version 1.1.0 of the open simplestyle specification, so be sure to check out the full documentation for the details.

Happy collaborative mapping!

Better Organizations

Today we’re making it easier to manage GitHub organizations. Whether your organization is a large private company or a small open source project, these improvements will help keep your teams organized and your code secure.

An improved profile

Organization owners can now add members and teams right from the organization’s profile.

profile

Members

Owners now have a unified list of all members. To help you stay secure, private organization owners can also see which members have two-factor authentication disabled.

members

Teams

You can quickly search and manage teams you belong to. We’ve also made it even easier to leave your teams.

teams

Teams are the best way to limit access to your organization’s repositories, so we made the team page fast and simple.

team

Enjoy!

Remember, teams aren’t just for access control! You can bring teams into a conversation with team mentions. Keep your feedreader pointed here to stay up to date with what comes next.

Web-flow editing from Pull Requests

Pull Requests are key to our collaboration workflow here at GitHub, so today we’re making it a little easier to stay in the flow of a PR while collaborating directly on the web.

When viewing the "files changed" tab of any PR, people with push access to the repository will be able to edit or view files directly on the PR’s branch. Once you’ve made your change, you’ll be sent straight back to the PR’s diff to continue the review.

2014-01-10 at 11 46 am

The buttons will always link to the latest version of each file on the branch, enabling rapid-fire web-based iteration and discussion without having to leave the context of the PR.

:sparkles: Enjoy! :sparkles:


ProTip™: If you’re viewing a branch’s version of a file, and want a canonical link that will always point to this specific version of the file (even if the branch changes it further), hit the y key on your keyboard, and the page’s URL will change to use the SHA of the latest commit on the branch instead.

Introducing GitHub Traffic Analytics

The holidays are over and we're getting back into the shipping spirit at GitHub. We want to kick off 2014 with a bang, so today we're happy to launch Traffic analytics!

You can now see detailed analytics data for repositories that you're an owner of or that you can push to. Just load up the graphs page for your particular repository and you'll see a new link to the traffic page.

traffic-link2

When you land on the traffic page you'll see a lot of useful information about your repositories including where people are coming from and what they're viewing.

github traffic

Looking at these numbers for our own repositories has been fun, sometimes surprising, and always interesting. We hope you enjoy it as much as we have!

More Enterprise support in GitHub for Mac

To help kick off the new year, we're happy to announce that GitHub for Mac now supports CAS authentication with GitHub Enterprise as of version 11.10.328 or later!

The sign-in process is almost exactly the same. Open GitHub for Mac's Preferences, switch to the “Accounts” tab, and then enter the URL for your GitHub Enterprise server:

Accounts tab before sign in

If your server uses single sign-on, the username and password fields will be automatically grayed out, and clicking “Sign In” will open your web browser to finish the process.

Upon success, you'll be redirected back to GitHub for Mac, now signed in:

Accounts tab after sign in

If you run into any problems signing in, or have any comments or suggestions, please contact support.

Enjoy! :rocket:

GitHub Pages just got easier

Today we're rolling out a reimagined pages.github.com, focused on helping you quickly and easily publish your first GitHub Pages site.

Screen shot of pages.github.com

Many sites you visit on a daily basis, from Bootstrap to developer.github.com, are hosted on GitHub Pages. The service lets you host your own static HTML5, CSS, and JavaScript sites via GitHub.

Now, pages.github.com will walk you through the steps of publishing your first site in minutes, whether it's via Git for command line, GitHub for Windows, or GitHub for Mac.

Example step on pages.github.com

For GitHub Pages veterans, we've also taken the opportunity to surface some great GitHub Pages resources to learn how to take advantage of the Jekyll templating engine, for example, or how to set up a custom domain.

Happy publishing!

More Explore Features

We've drafted your friends to help you find even more interesting projects with a new module on GitHub Explore. You'll now see stars from people you follow on the explore landing page, the mobile version, and the explore newsletter.

Starred by people you follow

Starred by people you follow

You can see which of your friends starred it by clicking the stars number on the right side of the repository.

Friends who starred

Starred by GitHub staff

We've had as much fun using the new GitHub Explore as we've had building it. We're sharing the repositories we've discovered in the new Starred by GitHub staff section.

Starred by GitHub staff

Something went wrong with that request. Please try again.