Tell Me Your Secrets Without Telling Me Your Secrets

Nov 24, 2023The Hacker NewsDeveloper Tools / API Security

API security

The title of this article is probably like the caption of a meme. However, this is a real problem that GitGuardian engineers have to solve when implementing mechanisms for their new HasMySecretLeaked service. They want to help developers find out if their secrets (passwords, API keys, private keys, cryptographic certificates, etc.) have found their way into public GitHub repositories . How can they comb through a vast library of secrets found in public GitHub repositories and their histories and compare them to your secrets without you having to reveal sensitive information? This article will tell you how.

First, if we put the small mass equal to one electron, one ton of data amounts to 121.9 quadrillion petabytes of data in standard Earth gravity or $39.2 billion billion US dollars in MacBook Pro storage upgrades (over all. money in the world). So when this article claims that GitGuardian has scanned a “ton” of GitHub public commit data, that’s figuratively, not literally.

But yes, they scanned a “ton” of public commits and gists from GitHub, tracked commit histories, and found MILLIONS of secrets: passwords, API keys, private keys, cryptographic certificates, etc. And no, “millions” is not descriptive. They literally found over 10 million in 2022.

How GitGuardian makes it possible for developers and their employers to see if their current and valid secrets are among the 10+ million without just publishing millions of secrets, making it easy for actors to threat to find and harvest them, and allow more genies from more bottles? One word: fingerprinting.

After some careful evaluation and testing, they came up with a secret-fingerprinting protocol which encrypts and hashes the secret, and then only a partial hash is shared with GitGuardian. With this they can limit the number of potential matches to a manageable number without having enough knowledge of the hash to reverse and decrypt it. To further ensure security, they put a toolkit for encrypting and hashing the client-side secret.

If you use the HasMySecretLeaked web interface, you can copy the Python script to do the hash locally and just put the output in the browser. You don’t need to put the secret itself anywhere it’s passed to the browser and you can easily check the 21 lines of code to prove to yourself that it didn’t send anything outside of the terminal session you opened to run the script. If that’s not enough, open the F12 developer tools in Chrome or another browser and go to the “Network” panel to monitor what information is sent to the web interface above.

If you use the open source ggshield CLI you can check the CLI code to see what is happening when you use the hmsl command. Want more security? Use a traffic inspector like Fiddler or Wireshark to see what is being transmitted.

GitGuardian engineers know that even customers who trust them will be apprehensive about pasting an API key or other secret into a box on a web page. For the security and peace of mind of all who use the service, they have chosen to be as transparent as possible and put as much of the process under the customer’s control as possible. It goes beyond their marketing materials and into ggshield documentation for the hsml command.

GitGuardian went the extra mile to make sure people use their HasMySecretLeaked checker no need to share actual secrets to see if they leak. And it’s paid off. Over 9,000 secrets were reviewed in the first few weeks it was live.

If your secrets are out in the open, it’s better to know than not. They may not have been taken advantage of yet, but it’s probably only a matter of time. You can check up to five per day for free via HasMySecretLeaked checker through the web, and more than using the GitGuardian our CLI. And even if you don’t look to see if your secrets are leaking, you should look to their code and procedures to help motivate your efforts to make it easier for your customers to share sensitive information without sharing the information itself.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment