How to Scale End-to-End Observability in AWS Environments

GitHub Is Making Protocol Security Changes for SSH Users

A report detailing changes being made by Git systems to the algorithm at GitHub.

Oct. 13, 2021, 10:04 p.m.

TL;DR

Git systems announce changes to their algorithms. Old keys would have their support withdrawn, and new keys would be provided with support to ensure security for users.

The DSA keys are also less secure, with security levels of 80-bit as opposed to the standard 128 bit

Key Facts

1
Support to be removed from all DSA keys.
2
RSA keys would be provided with new signature keys.
3
Git folks offered ECDSA and Ed25519 new host keys via UpdateHostKeys.
4
Unencrypted Git would receive no more support.

Details

The folks at Github that are concerned with user's security, Git Systems, announced some changes to be made to their algorithms to improve the users' security when pushing and pulling data. The blog post about these changes noted that the reason for these improvements was the increase in recent attacks and the ever-changing dynamics of these attacks. An extensive report is found on their blog about these changes, including dates on which users expect each change to take effect.

User keys with older algorithms have less resistance to known attacks. They, however, noted that only users whose Git remote begins with git:// would be affected and that the changes would be barely noticeable. These changes are coming after their initial changes in making GitHub more secure had been affected, and password changes and authentication changes had previously been deployed.

They announced their decision to drop all DSA keys due to an analysis showing that very few users, 0.3%, operated them. The DSA keys are also less secure, with security levels of 80-bit as opposed to the standard 128 bit. They noted that these changes would occur seamlessly and provide a more secure system for all.

Signature algorithms that have been noticed to be less secure would no longer receive SSH support. The SHA-1 signature algorithm is less secure, and new users would no longer be able to use them. So even though the RSA keys are a safer option than the DSA keys, combining it with the SHA-1 would leave you vulnerable. The OpenSSH 7.2 and the SHA-2 signatures would be the SSH support for RSA keys.

Further changes to the support added were the announcement to provide support for new host keys. The keys ECDSA and Ed22519 keys have more security characteristics and will be shipped in the nearest future. The Git folks would effect these changes from mid-September 2021 till March 2022.

Users were advised to check for the SSH libraries they were using and check ssh-vvv@github.com for supported SSH algorithms. Also, in instances of failure to clone a repository, users should check the URL and ensure they are https://, ssh:// or git@github.com. The same protocols are to be observed for already existing repositories, and the URL with git:// is to be changed to a supported format.

The following table, published on Github blog, summarizes when the upcoming changes will be effective:

Date	What happens
September 14, 2021	New host keys offered via UpdateHostKeys. We’ll start offering ECDSA and Ed25519 host keys through the UpdateHostKeys extension.
November 2, 2021	First brownout; RSA with SHA-1 cutoff. All user RSA keys with valid_after dates after this point will need to use SHA-2 signatures during the brownout periods and after the change becomes permanent. We’ll also run several short brownouts on this date. During a brownout, the MACs, ciphers, and protocol we’re removing will be temporarily disabled.
November 16, 2021	The ECDSA and Ed25519 host keys will start to be fully usable. GitHub’s DSA host key will no longer be supported.
January 11, 2022	Final brownout. This is the full brownout period where we’ll temporarily stop accepting the deprecated key and signature types, ciphers, and MACs, and the unencrypted Git protocol. This will help clients discover any lingering use of older keys or old URLs.
March 15, 2022	Changes made permanent. We’ll permanently stop accepting DSA keys. RSA keys uploaded after the cut-off point above will work only with SHA-2 signatures (but again, RSA keys uploaded before this date will continue to work with SHA-1). The deprecated MACs, ciphers, and unencrypted Git protocol will be permanently disabled.