Why does GitHub recommend HTTPS over SSH

Question

On the GitHub site there is a link     https   help github com articles generating-ssh-keys      and it states        If you have decided not to use the recommended HTTPS method  we can   use SSH keys to establish a secure connection between your computer   and GitHub  The steps below will walk you through generating an SSH   key and then adding the public key to your GitHub account    Why is HTTPS the recommended method   Is there some sort of security flaw in the SSH method or is it slower   I created an SSH key  so would that mitigate any security concerns

User · Answer

Either you are quoting wrong or github has different recommendation on different pages or they may learned with time and updated their reco.

We strongly recommend using an SSH connection when interacting with GitHub. SSH keys are a way to identify trusted computers, without involving passwords. The steps below will walk you through generating an SSH key and then adding the public key to your GitHub account.

https://help.github.com/articles/generating-ssh-keys

User · Answer

GitHub have changed their recommendation several times  example    It appears that they currently recommend HTTPS because it is the easiest to set up on the widest range of networks and platforms  and by users who are new to all this   There is no inherent flaw in SSH  if there was they would disable it  -- in the links below  you will see that they still provide details about SSH connections too    HTTPS is less likely to be blocked by a firewall   https   help github com articles which-remote-url-should-i-use      The https    clone URLs are available on all repositories  public and private  These URLs work everywhere--even if you are behind a firewall or proxy   An HTTPS connection allows credential helper to cache your password   https   help github com articles set-up-git     Good to know  The credential helper only works when you clone an HTTPS   repo URL  If you use the SSH repo URL instead  SSH keys are used for   authentication  While we do not recommend it  if you wish to use this   method  check out this guide for help generating and using an SSH key

User · Answer

Maybe because it s harder to steal a password from your brain then to steal a key file from your computer  at least to my knowledge  maybe some substances exist already or methods but this is an infinite discussion   And if you password protect the key  then you are using a password again and the same problems arise  but some might argue that you have to do more work  because you need to get the key and then crack the password

User · Answer

Enabling SSH connections over HTTPS if it is blocked by firewall  Test if SSH over the HTTPS port is possible  run this SSH command     ssh -T -p 443 git ssh github com Hi username  You ve successfully authenticated  but GitHub does not provide shell access    If that worked  great  If not  you may need to follow our troubleshooting guide   If you are able to SSH into git ssh github com over port 443  you can override your SSH settings to force any connection to GitHub to run though that server and port   To set this in your ssh config  edit the file at    ssh config  and add this section   Host github com   Hostname ssh github com   Port 443   You can test that this works by connecting once more to GitHub     ssh -T git github com Hi username  You ve successfully authenticated  but GitHub does not provide shell access      From Authenticating to GitHub   Using SSH over the HTTPS port

User · Answer

I assume HTTPS is recommended by GitHub for several reasons  It s simpler to access a repository from anywhere as you only need your account details  no SSH keys required  to write to the repository   HTTPS Is a port that is open in all firewalls  SSH is not always open as a port for communication to external networks   A GitHub repository is therefore more universally accessible using HTTPS than SSH  In my view SSH keys are worth the little extra work in creating them  SSH Keys do not provide access to your GitHub account  so your account cannot be hijacked if your key is stolen   Using a strong keyphrase with your SSH key limits any misuse  even if your key gets stolen  after first breaking access protection to your computer account    If your GitHub account credentials  username password  are stolen  your GitHub password can be changed to block you from access and all your shared repositories can be quickly deleted  If a private key is stolen  someone can do a force push of an empty repository and wipe out all change history for each repository you own  but cannot change anything in your GitHub account   It will be much easier to try recovery from this breach of you have access to your GitHub account  My preference is to use SSH with a passphrase protected key   I have a different SSH key for each computer  so if that machine gets stolen or key compromised  I can quickly login to GitHub and delete that key to prevent unwanted access  SSH can be tunneled over HTTPS if the network you are on blocks the SSH port  https   help github com articles using-ssh-over-the-https-port  If you use HTTPS  I would recommend adding two-factor authentication  to protect your account as well as your repositories  If you use HTTPS with a tool  e g an editor   you should use a developer token from your GitHub account rather than cache username and password in that tools configuration   A token would mitigate the some of the potential risk of using HTTPS  as tokens can be configured for very specific access privileges and easily be revoked if that token is compromised

User · Answer

Also see  the official Which remote URL should I use  answer on help github com   EDIT   It seems that it s no longer necessary to have write access to a public repo to use an SSH URL  rendering my original explanation invalid   ORIGINAL    Apparently the main reason for favoring HTTPS URLs is that SSH URL s won t work with a public repo if you don t have write access to that repo   The use of SSH URLs is encouraged for deployment to production servers  however - presumably the context here is services like Heroku

User · Answer

It s possible to argue that using SSHs key to authenticate is less secure because we tend to change our password more periodically than we generate new SSH keys     Servers that limit the lifespan for which they ll honor given SSH keys can help force users toward the practice of refreshing SSH-keys periodically

[git] Why does GitHub recommend HTTPS over SSH?

Examples related to git

Examples related to github

Examples related to ssh

Examples related to https