Tell Me Your Secrets Without Telling Me Your Secrets

Tell Me Your Secrets Without Telling Me Your Secrets

November 24, 2023 at 06:18AM

GitGuardian’s engineers have developed a secret-fingerprinting protocol for their HasMySecretLeaked service, which helps developers find out if their secrets have been exposed in public GitHub repositories. By encrypting and hashing the secret and sharing a partial hash with GitGuardian, they can match potential secrets without exposing sensitive information. Users can verify the process by reviewing the code or monitoring network information. Over 9,000 secrets have been checked since its launch.

The meeting notes discuss an article about GitGuardian’s new service called HasMySecretLeaked. The service helps developers find out if their secrets, such as passwords, API keys, private keys, cryptographic certificates, etc., have been exposed in public GitHub repositories.

GitGuardian implemented a mechanism to compare developers’ secrets with a vast library of secrets found in GitHub repositories without the need to expose sensitive information. They scanned millions of public commits and gists from GitHub in 2022 and developed a secret-fingerprinting protocol using encryption and hashing to limit potential matches and ensure security.

To use the HasMySecretLeaked web interface, developers can copy a Python script to create the hash locally and input the output in the browser, without transmitting the secret itself. They can also inspect the ggshield CLI’s code or use traffic inspectors like Fiddler or Wireshark for additional assurance. The transparency and customer control in the process have led to over 9,000 secrets being checked in the first few weeks of the service’s launch.

Knowing if secrets have been publicly divulged is important, as exploitation may be imminent. Developers can check up to five secrets per day for free using the web interface and more using the GitGuardian shield CLI. Even if not checking for leaked secrets, exploring GitGuardian’s code and methods can inspire efforts to securely share sensitive information without disclosing the information itself.

If you would like more exclusive content, you can follow GitGuardian on Twitter and LinkedIn.

Full Article