Security Zines' Rohit Sehgal is back with an awesome illustration to explain the inner workings of Has My Secret Leaked?, the only free service that helps developers and security people verify if their secrets have been leaked on GitHub.com.

Click to get the full-res PDF.

It goes into detail explaining how users can check if their secrets have leaked without revealing the actual secret. The secure protocol ensures GitGuardian does not have access to the users' secrets while helping users check if their secrets have leaked with added security measures.

Zine summary:

-GitGuardian compiled an extensive database of leaks from scanning billions of code files, commits, GitHub gists, and issues since 2017.

- Has My Secret Leaked? involves a hash-based approach where users send a hashed version of their secret.

- To ensure privacy, users only send a fragment of their secret's hash (initial five characters), and the service retrieves matching secrets.

- The service encrypts responses, allowing only the secret's owner to decrypt and retrieve the URL location of the leak.

- Additional security measures include the use of a "pepper" in hashing, restricting queries per day, and disclosing only the first location of a secret.

💡
Try it for free, directly in your browser and using dummy credentials here: https://www.gitguardian.com/hasmysecretleaked

To check any secret or even a list of secrets directly in your CLI, we recommend using the ggshield hmsl check command. Read the full documentation here.

👍
Security Zines is a project led by Rohit Sehgal. Check out his work at securityzines.com/#comics and give him a follow on Twitter @sec_r0 to see what he comes up with next!