I wonder how to verify the ssh host key from branchable.com?
:~$ git clone ssh://b-sitename@sitename.branchable.com/ sitename.branchable.com
Initialized empty Git repository in /home/username/sitename.branchable.com/.git/
The authenticity of host 'sitename.branchable.com (xxx.xxx.xxx.xxx)' can't be established.
RSA key fingerprint is 8f:76:a9:90:e3:58:bf:68:cb:3c:80:08:a4:d4:d3:14.
Are you sure you want to continue connecting (yes/no)?
I've been told that this might be a good opportunity to use Monkeysphere to verify ssh host keys. It uses a PGP web of trust. The Monkeysphere project explains it on their web page.
Otherwise, is there a secure web url for branchable.com that lists various keys for servers?
I'm new to all this my self, but trying to do it right.
Normally, verifying ssh host keys is a very good idea. I think that for Branchable, there is really only one reason to do it, and that is if you have a site with non-public content, and you want to make certain git is not sending that content to an attacker. Since we only use ssh with git, all an attacker could really do is try to intercept and block and record the data you transfer using it. Well, unless they found a security hole in git.
I have inserted Branchable's ssh key into Monkeysphere. If you setup ssh to use Monkeysphere, you'll see something like the below, and it's signed by my gpg key which is well connected on the web of trust.
But, for now, this will only work if you use git with branchable.com, not with sitename.branchable.com. For now, that will work, but we're not yet ready to recommend it be used long-term.
By the way, we have some hopes of also using Monkeysphere to make it easier for you to provide Branchable with your ssh public keys.
For technical details, see http://ikiwiki-hosting.branchable.com/todo/monkeysphere_for_ssh_key_setup/