GitHub Is Making Protocol Security Changes for SSH Users
A report detailing changes being made by Git systems to the algorithm at GitHub.
Git systems announce changes to their algorithms. Old keys would have their support withdrawn, and new keys would be provided with support to ensure security for users.
Support to be removed from all DSA keys.
RSA keys would be provided with new signature keys.
Git folks offered ECDSA and Ed25519 new host keys via UpdateHostKeys.
Unencrypted Git would receive no more support.
The folks at Github that are concerned with user's security, Git Systems, announced some changes to be made to their algorithms to improve the users' security when pushing and pulling data. The blog post about these changes noted that the reason for these improvements was the increase in recent attacks and the ever-changing dynamics of these attacks. An extensive report is found on their blog about these changes, including dates on which users expect each change to take effect.
User keys with older algorithms have less resistance to known attacks. They, however, noted that only users whose Git remote begins with
git:// would be affected and that the changes would be barely noticeable. These changes are coming after their initial changes in making GitHub more secure had been affected, and password changes and authentication changes had previously been deployed.
They announced their decision to drop all DSA keys due to an analysis showing that very few users, 0.3%, operated them. The DSA keys are also less secure, with security levels of 80-bit as opposed to the standard 128 bit. They noted that these changes would occur seamlessly and provide a more secure system for all.
Signature algorithms that have been noticed to be less secure would no longer receive SSH support. The SHA-1 signature algorithm is less secure, and new users would no longer be able to use them. So even though the RSA keys are a safer option than the DSA keys, combining it with the SHA-1 would leave you vulnerable. The OpenSSH 7.2 and the SHA-2 signatures would be the SSH support for RSA keys.
Further changes to the support added were the announcement to provide support for new host keys. The keys ECDSA and Ed22519 keys have more security characteristics and will be shipped in the nearest future. The Git folks would effect these changes from mid-September 2021 till March 2022.
Users were advised to check for the SSH libraries they were using and check
email@example.com for supported SSH algorithms. Also, in instances of failure to clone a repository, users should check the URL and ensure they are
firstname.lastname@example.org. The same protocols are to be observed for already existing repositories, and the URL with
git:// is to be changed to a supported format.
The following table, published on Github blog, summarizes when the upcoming changes will be effective:
|September 14, 2021||
New host keys offered via UpdateHostKeys.|
We’ll start offering ECDSA and Ed25519 host keys through the UpdateHostKeys extension.
|November 2, 2021||
First brownout; RSA with SHA-1 cutoff.|
All user RSA keys with valid_after dates after this point will need to use SHA-2 signatures during the brownout periods and after the change becomes permanent. We’ll also run several short brownouts on this date. During a brownout, the MACs, ciphers, and protocol we’re removing will be temporarily disabled.
|November 16, 2021||The ECDSA and Ed25519 host keys will start to be fully usable. GitHub’s DSA host key will no longer be supported.|
|January 11, 2022||
This is the full brownout period where we’ll temporarily stop accepting the deprecated key and signature types, ciphers, and MACs, and the unencrypted Git protocol. This will help clients discover any lingering use of older keys or old URLs.
|March 15, 2022||
Changes made permanent.|
We’ll permanently stop accepting DSA keys. RSA keys uploaded after the cut-off point above will work only with SHA-2 signatures (but again, RSA keys uploaded before this date will continue to work with SHA-1). The deprecated MACs, ciphers, and unencrypted Git protocol will be permanently disabled.
Get similar news in your inbox weekly, for free
Share this news:
Get deep visibility into the performance of your complex enterprise applications and cloud native workloads. Identify potential issues, improve productivity, and ensure that your business and end users are unaffected by downtime and substandard performance ...
We tested ManageEngine Applications Manager to monitor different Kubernetes clusters. This post shares our review …
Harness the power of artificial intelligence (AI) and machine learning (ML) to monitor your IT resources with Site24x7's artificial intelligence for IT operations (AIOps) and machine learning operations (MLOps). Improve mean time to repair (MTTR) issues with the help of Site24x7 AIOps ...
In this post we'll dive deep into integrating AIOps in your business suing Site24x7 to …