Secure push and pull: GitHub improves connection protocol

Note: We have used commission links in this article and marked them with “*”. If an order is placed via these links, t3n.de receives a commission.

GitHub takes care of data transmission via SSH and the unencrypted Git protocol. Data communication that is already running via HTTPS is not affected by the upcoming changes.

In a detailed blog post GitHub explains in great detail which adjusting screws for protocol security should be turned in the near future. In the period from September 14, 2021 to March 15, 2022, GitHub removed cryptographic keys and algorithms in SSH that were considered insecure in exchange for more modern variants. The unencrypted Git protocol, which GitHub assumes that hardly anyone uses it anyway, is completely switched off. So if you still use git: //, you should take the opportunity and switch to https: //.

The measures are intended to improve the security of the push and pull actions and only affect SSH communication. HTTPS connections are not affected by any of the changes. GitHub therefore initially assumes that there will be hardly any affected people who will even notice the changes.

In detail, GitHub is making the following changes:

Support for all DSA keys will be removed because those with 80-bit encryption are considered too insecure. In fact, at least one 128-bit encryption is now standard. In general, the more bits, the harder it is to crack.

The stronger RSA keys are still allowed, but only in combination with newer algorithms with SHA-2 signatures. SHA-1 is no longer allowed for new RSA keys. These must use SHA-2. All CBC ciphers are also removed. The standards ECDSA and Ed25519 based on elliptic curve cryptography can in future also be used in the function of the server key.

In a transition phase that begins on September 14, 2021, GitHub will gradually implement the changes. SHA-1 and DSA keys expire in November 2021. On March 15th it will be over, all changes will be implemented hard. However, users of RSA keys with SHA-1 must take into account that they will continue to work after March 2022. Only new keys of this combination can no longer be implemented after November 2, 2021.