Why does GitHub recommend HTTPS over SSH

Question

On the GitHub site there is a link     https   help github com articles generating-ssh-keys      and it states        If you have decided not to use the recommended HTTPS method  we can   use SSH keys to establish a secure connection between your computer   and GitHub  The steps below will walk you through generating an SSH   key and then adding the public key to your GitHub account    Why is HTTPS the recommended method   Is there some sort of security flaw in the SSH method or is it slower   I created an SSH key  so would that mitigate any security concerns

User · Accepted Answer

GitHub have changed their recommendation several times (example).

It appears that they currently recommend HTTPS because it is the easiest to set up on the widest range of networks and platforms, and by users who are new to all this.

There is no inherent flaw in SSH (if there was they would disable it) -- in the links below, you will see that they still provide details about SSH connections too:

HTTPS is less likely to be blocked by a firewall.

https://help.github.com/articles/which-remote-url-should-i-use/

The https:// clone URLs are available on all repositories, public and private. These URLs work everywhere--even if you are behind a firewall or proxy.
An HTTPS connection allows credential.helper to cache your password.

https://help.github.com/articles/set-up-git

Good to know: The credential helper only works when you clone an HTTPS repo URL. If you use the SSH repo URL instead, SSH keys are used for authentication. While we do not recommend it, if you wish to use this method, check out this guide for help generating and using an SSH key.

User · Answer

Either you are quoting wrong or github has different recommendation on different pages or they may learned with time and updated their reco    We strongly recommend using an SSH connection when interacting with GitHub  SSH keys are a way to identify trusted computers  without involving passwords  The steps below will walk you through generating an SSH key and then adding the public key to your GitHub account   https   help github com articles generating-ssh-keys

User · Answer

Enabling SSH connections over HTTPS if it is blocked by firewall  Test if SSH over the HTTPS port is possible  run this SSH command     ssh -T -p 443 git ssh github com Hi username  You ve successfully authenticated  but GitHub does not provide shell access    If that worked  great  If not  you may need to follow our troubleshooting guide   If you are able to SSH into git ssh github com over port 443  you can override your SSH settings to force any connection to GitHub to run though that server and port   To set this in your ssh config  edit the file at    ssh config  and add this section   Host github com   Hostname ssh github com   Port 443   You can test that this works by connecting once more to GitHub     ssh -T git github com Hi username  You ve successfully authenticated  but GitHub does not provide shell access      From Authenticating to GitHub   Using SSH over the HTTPS port

User · Answer

I assume HTTPS is recommended by GitHub for several reasons  It s simpler to access a repository from anywhere as you only need your account details  no SSH keys required  to write to the repository   HTTPS Is a port that is open in all firewalls  SSH is not always open as a port for communication to external networks   A GitHub repository is therefore more universally accessible using HTTPS than SSH  In my view SSH keys are worth the little extra work in creating them  SSH Keys do not provide access to your GitHub account  so your account cannot be hijacked if your key is stolen   Using a strong keyphrase with your SSH key limits any misuse  even if your key gets stolen  after first breaking access protection to your computer account    If your GitHub account credentials  username password  are stolen  your GitHub password can be changed to block you from access and all your shared repositories can be quickly deleted  If a private key is stolen  someone can do a force push of an empty repository and wipe out all change history for each repository you own  but cannot change anything in your GitHub account   It will be much easier to try recovery from this breach of you have access to your GitHub account  My preference is to use SSH with a passphrase protected key   I have a different SSH key for each computer  so if that machine gets stolen or key compromised  I can quickly login to GitHub and delete that key to prevent unwanted access  SSH can be tunneled over HTTPS if the network you are on blocks the SSH port  https   help github com articles using-ssh-over-the-https-port  If you use HTTPS  I would recommend adding two-factor authentication  to protect your account as well as your repositories  If you use HTTPS with a tool  e g an editor   you should use a developer token from your GitHub account rather than cache username and password in that tools configuration   A token would mitigate the some of the potential risk of using HTTPS  as tokens can be configured for very specific access privileges and easily be revoked if that token is compromised

User · Answer

It s possible to argue that using SSHs key to authenticate is less secure because we tend to change our password more periodically than we generate new SSH keys     Servers that limit the lifespan for which they ll honor given SSH keys can help force users toward the practice of refreshing SSH-keys periodically

User · Answer

Maybe because it s harder to steal a password from your brain then to steal a key file from your computer  at least to my knowledge  maybe some substances exist already or methods but this is an infinite discussion   And if you password protect the key  then you are using a password again and the same problems arise  but some might argue that you have to do more work  because you need to get the key and then crack the password

User · Answer

Also see  the official Which remote URL should I use  answer on help github com   EDIT   It seems that it s no longer necessary to have write access to a public repo to use an SSH URL  rendering my original explanation invalid   ORIGINAL    Apparently the main reason for favoring HTTPS URLs is that SSH URL s won t work with a public repo if you don t have write access to that repo   The use of SSH URLs is encouraged for deployment to production servers  however - presumably the context here is services like Heroku

[git] Why does GitHub recommend HTTPS over SSH?

Examples related to git

Examples related to github

Examples related to ssh

Examples related to https