GitHub Enforces Stronger Encryption

GitHub this week permanently disabled a series of weak cryptographic standards across its software development platform in an attempt to better protect users.

As of Feb. 22, 2018, the TLSv1/TLSv1.1 standard is no longer used on HTTPS connections to GitHub. The change affects all web, API, and git connections to https://github.com and https://api.github.com, Patrick Toomey, Application Security Engineer, GitHub, says. 

The platform also retired the diffie-hellman-group1-sha1 and diffie-hellman-group14-sha1 encryption standards, a move that affects all SSH connections to github.com. This change follows the enabling of the diffie-hellman-group-exchange-sha256 standard on GitHub in September 2017. 

The removal of these weak cryptographic standards was initially announced last year, and GitHub has since focused on ensuring that the change won’t have a major impact on its users. At the moment, only a small fraction of traffic uses the deprecated algorithms and clients are expected to automatically transition to the new ones, but some clients are expected to be impacted. 

These include older systems that, although no longer maintained, continue to access Git/the GitHub API using the deprecated algorithms. To help mitigate this, the platform disabled support for the old algorithms for one hour on February 8, 2018. This provided a two week grace period for impacted systems to be upgraded. 

“As noted above, the vast majority of traffic should be unaffected by this change. However, there are a few remaining clients that we anticipate will be affected. Fortunately, the majority of clients can be updated to work with TLSv1.2,” Toomey notes

Impacted clients include Git Credential Manager for Windows prior to version 1.14.0, Git clients that shipped with Red Hat 5, 6, and 7 (updating to versions 6.8 and 7.2 or greater should resolve this), JDK releases prior to JDK 8, and Visual Studio (which ships with specific versions of Git for Windows and the Git Credential Manager for Windows). 

Newer versions of these programs, however, include support for TLSv1.2 and updating ensures that clients continue to work properly with GitHub even after the deprecation. 

Related: Stack Ranking SSL Vulnerabilities: The ROBOT Attack

Related: U.S. Warns of Security Issues With HTTPS Inspection Products

Original author: Ionut Arghire