There are various protocols developed for transferring data from client to server like HTTP,https, ssh, https, FTP,sFTP, FTPs, etc. In standard HTTP, all information between client to server and vice versa are sent in plain text. Any things send from the client and reached the server over a public network(called the internet) in plain text format. So those data are vulnerable and hackers can act as Man in Middle and intercept all the requests and responses.
It can be no problem if you just use it for browsing a regular website since there does not involve any secure data. But if you want to transfer secure and sensitive data then we have to encrypt it. So even if hackers intercept those encrypted data then that makes no sense to him since it is in encrypted form.
So, many secure protocols like https, ftps, sftp, ssh, SSL/tls where developed.
From Git Perspective:
In a git, there may be private and public repositories. For public repositories, even data send from server to client and vice versa with HTTP does not have much impact. But if you have private repositories and many developers are working on that repositories then it is necessary to transfer data between client(developer) computer(ie. Git Client) to git private repositories in a secure way so that no hacker can intercept those data.
Git uses several protocols for client-server communication :
- Plain git.
But ssh and https are secured one.SO, many git servers like Github, bitbuckets, GitLab has uses two popular cryptographic network protocols like ssh and https.
When you cloning, pushing, and pulling changes between GitHub repositories and your computer, there are two popular cryptographic network protocol to choose 1) HTTPS and 2 ) SSH
It is a secure version of HTTPS, where data sent between the client and server is encrypted. Now hacker when intercept those encrypted data and hackers cannot make any sense to those encrypted data and makes no sense to him and cannot reverse it.
SSH means "Secured Shell".It is also a secured version, where data sent between the client and server is encrypted.SSH used port 22 is used to negotiate or authenticate the connection. The remote device authentication is done by public-key cryptography.
How SSH works?
In Git, one machine functions as an SSH client and another as an SSH server.SSH can be configured with a pair of keys which are known to be private and public key. The SSH server holds the public key, while the SSH client has a private key that is locally saved at the client-side.SSH clients want to connect with the SSH server and SSH clients provide Id in key pairs to prove their identity. Then the ssh server creates a challenge by encrypting it with the public key and send back to the ssh client. So, you as a client takes the challenges and try to decrypt the message with the client's private key and then send the original challenge to the ssh server. once the negotiation is completed then the connection is established and you can get to work.
Git with HTTPS and SSH:
Here, I will discuss with git hosting service provider Github. But will work the same for Gitlab or Bitbucket as well.
Git with HTTPS
Starting git with https for cloning, pulling, and pushing is much easier and can be done with much less setup.
origin https. .. then you are using an HTTPS link.
fig. git clone link in action
Git with https uses password-based authentication for doing every action like git push, git clone, git fetch and git pull, etc. So, it is recommended to create a strong and unique password by using a password manager.
Why people prefer HTTPS protocol for GIT?
- It is easiest to set up on the widest range of network and platforms and is easier for the people to get started within a simple and secure way.
- It does not require to generate/copy/paste ssh key in git server provider.
It is easier to access and write on repositories from anywhere and you just need account details.
- HTTPS is a port that is open in all firewalls and does not require to open by doing to firewall settings.
The downside of Using HTTPS
- The downside of using HTTPS: You have to enter the Github password every time you push. But you can set to store it permanently using windows credentials in the windows machine. So the credential.helper will cache your password with an https link. visit here
- If your Github/bitbucket/GitLab account (username and password) is stolen then your GitHub/bitbucket/GitLab account can be changed and blocked form accessing all your git repositories and even can delete all your repositories as well.
If you have two-factor authentication enabled(2FA), you will have to use a personal access token(PAT) instead of your regular standard password. If you have enabled Two Factor Authentication, git will prompt you to have a code on your mobile devices or send it as a text message after successfully entering your username and password.
PAT based authentication is considered to be more secure than password-based authentication.Here, we treat PAT token as a password. Click here for creating PAT token in github.
- Use a strong password.
- Don't compromise your git account.
Git With SSH
Git used SSH protocol to securely transfer repository data over the internet. Uses public key encryption to secure data.
Git with https uses public-key encryption-based authentication for doing every action like git push, git clone, git fetch and git pull, etc.
If the links show
origin git. .. then you are using an SSH link.
To use SSH URLs, you must generate an SSH keypair on your computer and kept private key yourself and add public key to your GitHub account.
If you want to use SSH URLs, then at the time of git clone, git fetch, git pull or git push to the remote repository, then it will prompt for a password and just must just provide your SSH key passphrase.
Why people prefer SSH protocol for GIT?
- Using the key is more secure than using a password.
- Since you do not have a password for SSH so do not require two-factor authentication. Whoever has your private key can push to your repositories without needing a code generating device.
- If your private key is stolen, someone can do a force push to new empty repositories and remove all change records and history for every repository you have, but they (who have stolen) cannot change anything in your GitHub account. This would be much easier to attempt to restore your GitHub account from this hack.
The downside of Using SSH
One minor drawback is that all connections require authentication, so you always need a Github account -even for cloning and pulling repositories but you can store a key so that it will not ask.links.
- Networks and Firewalls sometimes refuse to totally allow SSH connections. This makes developers irritating. But must of the case this does not occur. Even If refuse SSH port access then also firewalls allow easy to configure SSH to work over HTTPS.