HTTPS vs SSH in git in 5 minutes
What is HTTPS vs SSH in git? This is the question every newbie keeps asking during their starting day with git and GitHub. In this article, I will provide you an in-depth concept and practical use of those protocols in git.
There are various protocols developed for transferring data from client to server like HTTP, HTTPS, ssh, FTP,sFTP, FTPs, etc. In standard HTTP, all information between client to server and vice versa are sent in plain text. Any things send from the client and reached the server over a public network(called the internet) in plain text format. So those data are vulnerable and hackers can act as Man in the Middle and intercept all the requests and responses.
It can be no problem if you just use it for browsing a regular website since there does not involve any secure data. But if you want to transfer secure and sensitive data then we have to encrypt it. So even if hackers intercept those encrypted data then that makes no sense to him since it is in encrypted form.
So, many secure protocols like HTTPS, ftps, sftp, ssh, SSL/TLS were developed.
From Git Perspective:
In a git, there may be private and public repositories. For public repositories, even data send from server to client and vice versa with HTTP does not have much impact. But if you have private repositories and many developers are working on that repositories then it is necessary to transfer data between client(developer) computer(ie. Git Client) to git private repositories in a secure way so that no hacker can intercept those data.
Git uses several protocols for client-server communication :
- Plain git.
But ssh and HTTPS are secured ones. Due to which many git servers like Github, bitbuckets, GitLab used those two popular cryptographic network protocols.
When you cloning, pushing, and pulling changes between GitHub repositories and your computer, there are two popular cryptographic network protocol to choose 1) HTTPS and 2 ) SSH
Common in both HTTPS and SSH
- Both HTTPS and SSH are communication protocols.
- Both HTTPS and SSH works for providing a reliable and secure connection
It is a secure version of HTTPS, where data sent between the client and server is encrypted. Now hacker when intercept those encrypted data and hackers cannot make any sense of those encrypted data and makes no sense to him and cannot reverse it. Https used port 443 to negotiate the connection. Its mode of authentication is Public/Private Pair.
It is mainly developed for secure transferring of data between client and server.
SSH means "Secured Shell".It is also a secured version, where data sent between the client and server is encrypted.SSH used port 22 is used to negotiate or authenticate the connection. The remote device authentication is done by public-key cryptography. Its mode of authentication is public/private Pair, or userid/password pair.
It is made to reduce security threats for remote server login.
How SSH works?
In Git, one machine functions as an SSH client and another as an SSH server.SSH can be configured with a pair of keys which are known to be private and public keys. The SSH server holds the public key, while the SSH client has a private key that is locally saved at the client-side.SSH clients want to connect with the SSH server and SSH clients provide Id in key pairs to prove their identity. Then the ssh server creates a challenge by encrypting it with the public key and send back to the ssh client. So, you as a client takes the challenges and try to decrypt the message with the client's private key and then send the original challenge to the ssh server. once the negotiation is completed then the connection is established and you can get to work.
In a nutshell and in layman's terms, we have private and public keys generated in SSH, then public keys are stored on Git hosting. Now onward if we want to do any action in git, the private key stored in PC is matched with the public key stored in git hosting. If they match, then without prompting the username and the password you are allowed to do this action.
Git with HTTPS and SSH:
Here, I will discuss with git hosting service provider Github. But will work the same for Gitlab or Bitbucket as well.
Git with HTTPS
Starting git with HTTPS for cloning, pulling, and pushing is much easier and can be done with much less setup.
origin https. .. then you are using an HTTPS link.
fig. git clone link in action
Git with HTTPS uses password-based authentication for doing every action like git push, git clone, git fetch and git pull, etc. So, it is recommended to create a strong and unique password by using a password manager.
Why people prefer HTTPS protocol for GIT?
- It is easiest to set up on the widest range of networks and platforms and is easier for people to get started in a simple and secure way.
- It does not require to generate/copy/paste ssh key in the git server provider.
It is easier to access and write on repositories from anywhere and you just need account details.
- HTTPS is a port that is open in all firewalls and does not require to open by doing to firewall settings.
The downside of Using HTTPS
- The downside of using HTTPS: You have to enter the Github password every time you push. But you can set it to store it permanently using windows credentials in the windows machine. So the credential.helper will cache your password with an HTTPS link.However, if the user changes their password, they must reconfigure everything from scratch visit here
- If your Github/bitbucket/GitLab account (username and password) is stolen then your GitHub/bitbucket/GitLab account can be changed and blocked by them from accessing all your git repositories and even can delete all your repositories.
If you have two-factor authentication enabled(2FA), you will have to use a personal access token(PAT) instead of your regular standard password. If you have enabled Two Factor Authentication, git will prompt you to have a code on your mobile devices or send it as a text message after successfully entering your username and password.
PAT-based authentication is considered to be more secure than password-based authentication. Here, we treat the PAT token as a password. Click here for creating PAT token in github.
- Use a strong password.
- Don't compromise your git account.
Git With SSH
Git used SSH protocol to securely transfer repository data over the internet. Uses public key encryption to secure data.
Git with HTTPS uses public-key encryption-based authentication for doing every action like git push, git clone, git fetch and git pull, etc.
If the links show
origin git. .. then you are using an SSH link.
To use SSH URLs, you must generate an SSH keypair on your computer and kept a private key yourself, and add the public key to your GitHub account.
If you want to use SSH URLs, then at the time of git clone, git fetch, git pull or git push to the remote repository, then it will prompt for a password and just must just provide your SSH key passphrase.
Why people prefer SSH protocol for GIT?
- Using the key is more secure than using a password.
- No repetitive authentication is required as with HTTPS.For every action that you perform, SSH removes the burden of authenticating on your remote server for every action (clone/push/pull) in git. This is one of the major reasons why SSH prefers to HTTPS.
- Since you do not have a password for SSH so do not require two-factor authentication. Whoever has your private key can push to your repositories without needing a code-generating device.
- If your private key is stolen, someone can do a force push to new empty repositories and remove all change records and history for every repository you have, but they (who have stolen) cannot change anything in your GitHub account. This would be much easier to attempt to restore your GitHub account from this hack.
- SSH seems to be more secure than HTTPS as it does not use password-based authentication.
The downside of Using SSH
One minor drawback is that all connections require authentication, so you always need a Github account -even for cloning and pulling repositories but you can store a key so that it will not ask.
- Networks and Firewalls sometimes refuse to totally allow SSH connections. This makes developers irritating. But must of the case this does not occur. Even If refuse SSH port access then also firewalls allow easy to configure SSH to work over HTTPS.
- Initial Setup is a little time-consuming.
- use SSH with a passphrase protected key
Ans: HTTPS and HTTP are communication protocols and SSL helps to encrypt and secure that communication channel. TLS is the modern version of SSL.
If data to be transfer over a communication channel using HTTPS, the first SSL session is established, then all data are bundled into secured SSL or TLS packets before sending and after receiving.