Why does GitHub recommend HTTPS over SSH?
On the GitHub site there is a link…
- How to give friend access to git repository without giving command line access?
- Can't run git commands using SSH agent forwarding
- How does GitHub handle push security?
- publickey-authentication on git/stash for ssh not working
- Can't push to repository on EC2 - Could not resolve hostname
- How to specify an ssh key for the jenkins git plugin
… and it states…
If you have decided not to use the recommended HTTPS method, we can
use SSH keys to establish a secure connection between your computer
and GitHub. The steps below will walk you through generating an SSH
key and then adding the public key to your GitHub account.
Why is HTTPS the recommended method? Is there some sort of security flaw in the SSH method or is it slower? I created an SSH key, so would that mitigate any security concerns?
5 Solutions collect form web for “Why does GitHub recommend HTTPS over SSH?”
GitHub have changed their recommendation several times (example).
It appears that they currently recommend HTTPS because it is the easiest to set up on the widest range of networks and platforms, and by users who are new to all this.
There is no inherent flaw in SSH (if there was they disable it) — in the links below, you will see that they still provide details about SSH connections too:
HTTPS is less likely to be blocked by a firewall.
The https:// clone URLs are available on all repositories, public and private. These URLs work everywhere–even if you are behind a firewall or proxy.
An HTTPS connection allows
credential.helperto cache your password.
Good to know: The credential helper only works when you clone an HTTPS
repo URL. If you use the SSH repo URL instead, SSH keys are used for
authentication. While we do not recommend it, if you wish to use this
method, check out this guide for help generating and using an SSH key.
Either you are quoting wrong or github has different recommendation on different pages or they may learned with time and updated their reco.
We strongly recommend using an SSH connection when interacting with GitHub. SSH keys are a way to identify trusted computers, without involving passwords. The steps below will walk you through generating an SSH key and then adding the public key to your GitHub account.
HTTPS is recommended by Github because its a port that is open in all firewalls. SSH is not always open as a port for communication on a network and is often blocked by network firewalls.
A Github repository is therefore more universally accessible using HTTPS than SSH.
SSH Keys are more secure in that they do not provide access to your Github account, although if someone does get hold of your private key they can do a force push of an empty repository and wipe out your change history.
My preference is to use SSH with a passphrase protected key. SSH can be tunneled over HTTPS if the network you are on blocks the SSH port.
If you use HTTPS, I would recommend adding two-factor authentication, to protect your account as well as your repositories.
Also see: the official Which remote URL should I use? answer on help.github.com.
It seems that it’s no longer necessary to have write access to a public repo to use an SSH URL, rendering my original explanation invalid.
Apparently the main reason for favoring HTTPS URLs is that SSH URL’s won’t work with a public repo if you don’t have write access to that repo.
The use of SSH URLs is encouraged for deployment to production servers, however – presumably the context here is services like Heroku.
It’s possible to argue that using SSHs key to authenticate is less secure because we tend to change our password more periodically than we generate new SSH keys.
Servers that limit the lifespan for which they’ll honor given SSH keys can help force users toward the practice of refreshing SSH-keys periodically.