I usually don’t think much about credentialization online. I have a few internet aliases (like yetanothergeographer) that I consider almost totally synonymous with my real name and persona. And even other personas on tumblr or other social networking sites are easily traced back to my “full” identity.

But, something that I found pretty shocking recently was the fact that any github profile you can find shows your public ssh keys to everyone. And I mean everyone. By affixing .keys to the end of anyone’s github user profile (or organization profile) you can check if the account has any associated public ssh keys attached to it.

Now, this isn’t too scary if you’re consistent and diligent with your use of ssh keys. But, as Ben Cox points out, many people aren’t.

Another angle Ben didn’t really discuss was the potential for using publically available ssh keys as a way to deanonymize people who use github under a pseudonym. For instance, the Tox Project has had a relatively tumultuous private history, full of quite a bit of vitriol and venom between disgruntled developers and cries of conspiracy. For example, two developers (and I’m sure many more) of Tox’s core group, irungentoo and sqtism, have public keys to their account.

This means that anyone could look for matches between the key that they use on their pseudonymous account and other named users. This would present a problem if they, like many people I know, develop on a few computers, pushing code to many different projects that all use your public ssh key as an indicator of identity.

This isn’t really anything surprising, as the public key is (surprise!) public. But, what I don’t think people realize is that some more noxious trolls (like the Feminist Software Foundation) could possibly be deanonymized by checking their ssh keys against a candidate set like that built by Ben Cox.

To be clear, I am not doing this, nor do I advocate deanonymizing people who want to be anonymous! But, I do think it’s important for people to realize that this is another one of a long line of digital fingerprints people are leaving in ways they may not realize.

I guess the real important part of the story comes from the fact that as information becomes easier to search and scrape, it becomes easier to collate and corroborate the disparate parts of your internet identity. This is just one (admittedly very arcane) example of the destruction of depersonalized/deidentified space on the internet.

Digital unnamed space is rapidly disappearing one ssh key at a time.  

imported from: yetanothergeographer