GitHub Is Making Protocol Security Changes for SSH Users

A report detailing changes being made by Git systems to the algorithm at GitHub.


Git systems announce changes to their algorithms. Old keys would have their support withdrawn, and new keys would be provided with support to ensure security for users.

The DSA keys are also less secure, with security levels of 80-bit as opposed to the standard 128 bit
The DSA keys are also less secure, with security levels of 80-bit as opposed to the standard 128 bit
Key Facts
  1. 1

    Support to be removed from all DSA keys.

  2. 2

    RSA keys would be provided with new signature keys.

  3. 3

    Git folks offered ECDSA and Ed25519 new host keys via UpdateHostKeys.

  4. 4

    Unencrypted Git would receive no more support.


The folks at Github that are concerned with user's security, Git Systems, announced some changes to be made to their algorithms to improve the users' security when pushing and pulling data. The blog post about these changes noted that the reason for these improvements was the increase in recent attacks and the ever-changing dynamics of these attacks. An extensive report is found on their blog about these changes, including dates on which users expect each change to take effect.

User keys with older algorithms have less resistance to known attacks. They, however, noted that only users whose Git remote begins with git:// would be affected and that the changes would be barely noticeable. These changes are coming after their initial changes in making GitHub more secure had been affected, and password changes and authentication changes had previously been deployed.

They announced their decision to drop all DSA keys due to an analysis showing that very few users, 0.3%, operated them. The DSA keys are also less secure, with security levels of 80-bit as opposed to the standard 128 bit. They noted that these changes would occur seamlessly and provide a more secure system for all.

Signature algorithms that have been noticed to be less secure would no longer receive SSH support. The SHA-1 signature algorithm is less secure, and new users would no longer be able to use them. So even though the RSA keys are a safer option than the DSA keys, combining it with the SHA-1 would leave you vulnerable. The OpenSSH 7.2 and the SHA-2  signatures would be the SSH support for RSA keys.

Further changes to the support added were the announcement to provide support for new host keys. The keys ECDSA and Ed22519 keys have more security characteristics and will be shipped in the nearest future. The Git folks would effect these changes from mid-September 2021 till March 2022.

Users were advised to check for the SSH libraries they were using and check for supported SSH algorithms. Also, in instances of failure to clone a repository, users should check the URL and ensure they are https://, ssh:// or The same protocols are to be observed for already existing repositories, and the URL with git:// is to be changed to a supported format.

The following table, published on Github blog, summarizes when the upcoming changes will be effective:

Date What happens
September 14, 2021 New host keys offered via UpdateHostKeys.

We’ll start offering ECDSA and Ed25519 host keys through the UpdateHostKeys extension.
November 2, 2021 First brownout; RSA with SHA-1 cutoff.
All user RSA keys with valid_after dates after this point will need to use SHA-2 signatures during the brownout periods and after the change becomes permanent. We’ll also run several short brownouts on this date. During a brownout, the MACs, ciphers, and protocol we’re removing will be temporarily disabled.
November 16, 2021 The ECDSA and Ed25519 host keys will start to be fully usable. GitHub’s DSA host key will no longer be supported.
January 11, 2022 Final brownout.
This is the full brownout period where we’ll temporarily stop accepting the deprecated key and signature types, ciphers, and MACs, and the unencrypted Git protocol. This will help clients discover any lingering use of older keys or old URLs.
March 15, 2022 Changes made permanent.
We’ll permanently stop accepting DSA keys. RSA keys uploaded after the cut-off point above will work only with SHA-2 signatures (but again, RSA keys uploaded before this date will continue to work with SHA-1). The deprecated MACs, ciphers, and unencrypted Git protocol will be permanently disabled.

Get similar news in your inbox weekly, for free

Share this news:

Latest stories

How ManageEngine Applications Manager Can Help Overcome Challenges In Kubernetes Monitoring

We tested ManageEngine Applications Manager to monitor different Kubernetes clusters. This post shares our review …

AIOps with Site24x7: Maximizing Efficiency at an Affordable Cost

In this post we'll dive deep into integrating AIOps in your business suing Site24x7 to …

A Review of Zoho ManageEngine

Zoho Corp., formerly known as AdventNet Inc., has established itself as a major player in …

Should I learn Java in 2023? A Practical Guide

Java is one of the most widely used programming languages in the world. It has …

The fastest way to ramp up on DevOps

You probably have been thinking of moving to DevOps or learning DevOps as a beginner. …

Why You Need a Blockchain Node Provider

In this article, we briefly cover the concept of blockchain nodes provider and explain why …

Top 5 Virtual desktop Provides in 2022

Here are the top 5 virtual desktop providers who offer a range of benefits such …

Why Your Business Should Connect Directly To Your Cloud

Today, companies make the most use of cloud technology regardless of their size and sector. …

7 Must-Watch DevSecOps Videos

Security is a crucial part of application development and DevSecOps makes it easy and continuous.The …