HTTPS vs SSH in git in 5 minutes
What is HTTPS vs SSH in git? This is the question every newbie keeps asking during their starting day with git and GitHub. In this article, I will provide you an in-depth concept and practical use of those protocols in git.
There are various protocols developed for transferring data from client to server like HTTP, HTTPS, ssh, FTP,sFTP, FTPs, etc. In standard HTTP, all information between client to server and vice versa is sent in plain text. Any things send from the client and reached the server over a public network(called the internet) in plain text format. So those data are vulnerable and hackers can act as Man in the Middle and intercept all the requests and responses.
It can be no problem if you just use it for browsing a regular website since there does not involve any secure data. But if you want to transfer secure and sensitive data then we have to encrypt it. So even if hackers intercept those encrypted data then that makes no sense to him since it is in encrypted form.
So, many secure protocols like HTTPS, ftps, sftp, ssh, SSL/TLS were developed.
From Git Perspective:
In a git, there may be private and public repositories. For public repositories, even data send from server to client and vice versa with HTTP does not have much impact. But if you have private repositories and many developers are working on that repositories then it is necessary to transfer data between client(developer) computer(ie. Git Client) to git private repositories in a secure way so that no hacker can intercept those data.
Git uses several protocols for client-server communication :
- Plain git.
But ssh and HTTPS are secured ones. Due to which many git servers like Github, bitbuckets, GitLab used those two popular cryptographic network protocols.
When you cloning, pushing, and pulling changes between GitHub repositories and your computer, there are two popular cryptographic network protocol to choose 1) HTTPS and 2 ) SSH
Common in both HTTPS and SSH
- Both HTTPS and SSH are communication protocols.
- Both HTTPS and SSH works for providing a reliable and secure connection
It is a secure version of HTTPS, where data sent between the client and server is encrypted. Now hacker when intercept those encrypted data and hackers cannot make any sense of those encrypted data and makes no sense to him and cannot reverse it. Https used port 443 to negotiate the connection. Its mode of authentication is Public/Private Pair.
It is mainly developed for secure transferring of data between client and server.
SSH means "Secured Shell".It is also a secured version, where data sent between the client and server is encrypted.SSH used port 22 is used to negotiate or authenticate the connection. The remote device authentication is done by public-key cryptography. Its mode of authentication is public/private Pair, or userid/password pair.
It is made to reduce security threats for remote server login.
How SSH works?
In Git, one machine functions as an SSH client and another as an SSH server.SSH can be configured with a pair of keys which are known to be private and public keys. The SSH server holds the public key, while the SSH client has a private key that is locally saved at the client side.SSH clients want to connect with the SSH server and SSH clients provide Id in key pairs to prove their identity. Then the ssh server creates a challenge by encrypting it with the public key and send back to the ssh client. So, you as a client take the challenges and try to decrypt the message with the client's private key and then send the original challenge to the ssh server. once the negotiation is completed then the connection is established and you can get to work.
In a nutshell and in layman's terms, we have private and public keys generated in SSH, then public keys are stored on Git hosting. Now onward if we want to do any action in git, the private key stored in PC is matched with the public key stored in git hosting. If they match, then without prompting the username and the password you are allowed to do this action.
Git with HTTPS and SSH:
Here, I will discuss with git hosting service provider Github. But will work the same for Gitlab or Bitbucket as well.
Git with HTTPS
Starting git with HTTPS for cloning, pulling, and pushing is much easier and can be done with much less setup.
origin https. .. then you are using an HTTPS link.
fig. git clone link in action
Git with HTTPS uses password-based authentication for doing every action like git push, git clone, git fetch and git pull, etc. So, it is recommended to create a strong and unique password by using a password manager.
Why do people prefer HTTPS protocol for GIT?
- It is easiest to set up on the widest range of networks and platforms and is easier for people to get started in a simple and secure way.
- It does not require to generate/copy/paste ssh keys in the git server provider.
It is easier to access and write on repositories from anywhere and you just need account details.
- HTTPS is a port that is open in all firewalls and does not require to open by doing to firewall settings.
The downside of Using HTTPS
- The downside of using HTTPS: You have to enter the Github password every time you push. But you can set it to store it permanently using windows credentials in the windows machine. So the credential.helper will cache your password with an HTTPS link. However, if the user changes their password, they must reconfigure everything from scratch visit here
- If your Github/bitbucket/GitLab account (username and password) is stolen then your GitHub/bitbucket/GitLab account can be changed and blocked by them from accessing all your git repositories and even can delete all your repositories.
If you have two-factor authentication enabled(2FA), you will have to use a personal access token(PAT) instead of your regular standard password. If you have enabled Two Factor Authentication, git will prompt you to have a code on your mobile devices or send it as a text message after successfully entering your username and password.
PAT-based authentication is considered to be more secure than password-based authentication. Here, we treat the PAT token as a password. Click here for creating PAT token in github.
- Use a strong password.
- Don't compromise your git account.
Git With SSH
Git used SSH protocol to securely transfer repository data over the internet. Uses public key encryption to secure data.
Git with HTTPS uses public-key encryption-based authentication for doing every action like git push, git clone, git fetch and git pull, etc.
If the links show
origin git. .. then you are using an SSH link.
To use SSH URLs, you must generate an SSH keypair on your computer and kept a private key yourself, and add the public key to your GitHub account.
If you want to use SSH URLs, then at the time of git clone, git fetch, git pull or git push to the remote repository, then it will prompt for a password and just must just provide your SSH key passphrase.
Why do people prefer SSH protocol for GIT?
- Using the key is more secure than using a password.
- No repetitive authentication is required as with HTTPS. For every action that you perform, SSH removes the burden of authenticating on your remote server for every action (clone/push/pull) in git. This is one of the major reasons why SSH prefers to HTTPS.
- Since you do not have a password for SSH so do not require two-factor authentication. Whoever has your private key can push to your repositories without needing a code-generating device.
- If your private key is stolen, someone can do a force push to new empty repositories and remove all change records and history for every repository you have, but they (who have stolen) cannot change anything in your GitHub account. This would be much easier to attempt to restore your GitHub account from this hack.
- SSH seems to be more secure than HTTPS as it does not use password-based authentication.
The downside of Using SSH
One minor drawback is that all connections require authentication, so you always need a Github account -even for cloning and pulling repositories but you can store a key so that it will not ask.
- Networks and Firewalls sometimes refuse to totally allow SSH connections. This makes developers irritating. But must of the case this does not occur. Even If refuse SSH port access then also firewalls allow easy to configure SSH to work over HTTPS.
- Initial Setup is a little time-consuming.
- use SSH with a passphrase protected key
Ans: HTTPS and HTTP are communication protocols and SSL helps to encrypt and secure that communication channel. TLS is the modern version of SSL.
If data is to be transferred over a communication channel using HTTPS, the first SSL session is established, then all data are bundled into secured SSL or TLS packets before sending and after receiving.
SSH stands for Secure Shell. SSL stands for Secure Socket Layer. Both are used for secure and reliable connections. These are two important security features used to conduct today's business on the internet.
- SSL is used to encrypt communication between browser and Server.SSH is used to encrypt communication between any two computers.
One may be a server and another client.
- Authentication in SSL is done via public/private key pair. And in SSH, most of the cases it is done through UserId/Password Pair.
- SSH provides additional features like providing multiple data channels to its application, supports execution of remote programming, TCP IP connections, can issue commands, etc.
Ans: In my view, ssh seems to be more secure and safer than HTTPS because SSH does not use password-based authentication as Https Does. And Password-based authentication seems to be more vulnerable to hackers because humans generally used the same password everywhere on multiples sites, which may result in many vulnerabilities.
So, if SSH keys matter, if proper guidelines of securing SSH are followed then the SSH key generally seems to be more secure.
This is a broad topic, I am just giving my view.
Actually, there are two types of URLs of your git repository. They are HTTPS URL and SSH URL.
HTTPS Url Look like this:
Git Url look like this:
Ans: It depends on the amount of latency between your system and the remote server. It is true that for setup ssh connections, doing a DNS lookup, making TCP connections, authenticating takes a longer time in SSH protocol as SSH is a complex protocol.
According to GitHub git, it is said that HTTPS is slightly faster than SSH in a high latency network. (source)