BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News GitHub to Phase out Support for Git Protocol, DSA Keys and Legacy SSH Algorithms

GitHub to Phase out Support for Git Protocol, DSA Keys and Legacy SSH Algorithms

This item in japanese

With a strong focus on having customer data as secure as possible, GitHub has decided to remove support for the unencrypted Git protocol, DSA keys and some legacy SSH algorithms. Also, it is adding requirements for newly added RSA keys and providing support for ECDSA and Ed25519 host keys SSH. These changes might affect only SSH and "git://" users, while the "https://" users will be unaffected. Nevertheless, starting mid-September 2021 until mid-March 2022, GitHub will slowly phase-out less secure technology making room for more secure ones.

Following the recent removal of the support for passwords over HTTPS, which was part of GitHub's drive to keep customers' data as secure as possible, they decided to stop using old key types. As DSA keys offer only 80-bit security level under the current standard of 128-bit, and as only less than 0.3% of the GitHub requests are being made using these requests, it is their belief that their rejection altogether will increase security with little user friction. As a next step, support for the DSA host keys is expected to also be removed.

Even though RSA keys are stronger than DSA keys, some older Git clients might use them in combination with an obsolete signature algorithm that uses SHA-1. As many SSH clients, which also start from OpenSSH 7.2 support RSA and SHA-2 signatures, the support for SHA-1 signatures will be dropped, enforcing SHA-2. Keys having a valid-after before the deadline (November 2, 2021) may continue using SHA-1 signatures for the time being.

SSH service will drop support for insecure algorithms like hmac-sha1 and CBC ciphers (aes256-cbc, aes192-cbc and aes128-cbc). The attacks on CBC ciphers are very easy to conduct and the company considers that based on their data, there are better encryption and MAC algorithms.

As the unencrypted git:// offers no integrity or authentication, it can be exposed to interferences. As there is a limited number of users still using it, probably due to the fact that it is exposed just in read-only form (i.e. you cannot push code) on GitHub, its support will be dropped as well.

GitHub doesn’t only drop support for old standards, but also adds support for new host keys: ECDSA and Ed25519 are newer standards based on elliptic curve cryptography, and they will be supported as well as they offer good security characteristics for limited sizes and computation increases. For the short term they will be shipped using OpenSSH’s UpdateHostKeys extension, which uses a secure technique to prove that GitHub owns the new keys it’s proposing.

Continuing on their path of trying to keep GitHub data as secure as possible, GitHub’s Git Systems team decided to remove support for old and unsecure algorithms and keys, mostly known as potential targets of attacks. These changes come after the recent removal of support for passwords over https, all in the benefit of staying ahead of the curve when it comes to security. In order to keep the affected users to a minimum, the company made sure that just small percentages of users are affected and provided a clear milestone plan, together with a guide on how to make sure you are unaffected by the changes.

Rate this Article

Adoption
Style

BT