If you use GitHub with SSH, you may have seen a warning when doing a git fetch this morning.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s. Please contact your system administrator.
GitHub explained in a blog post that they replaced their RSA key.
But this part of their explanation really stands out to me:
At approximately 05:00 UTC on March 24, out of an abundance of caution, we replaced our RSA SSH host key used to secure Git operations for GitHub.com.
This week, we discovered that GitHub.com’s RSA SSH private key was briefly exposed in a public GitHub repository.
Replacing an exposed private key is not an "abundance of caution". It is the exact appropriate amount of caution for this sort of situation.
I really wish companies would stop using that phrase, as if they're being super extra careful, when what they're doing is the absolute bare minimum of what any reasonable person would do.
