Slave to the algorithm: GitHub removes legacy cryptographic standards
TLSv1 and two deprecated SSH key exchanges have been consigned to the git graveyard.
GitHub, the popular web-based git repository, has permanently removed support for three deprecated cryptographic algorithms – a move the site’s owners say will help better protect users.
In a blog post on Friday, Patrick Toomey, GitHub application security engineer, said the platform has now permanently removed support for TLSv1/TLSv.1.1, diffie-hellman-group1-sha1, and diffie-hellman-group14-sha1.
“While there have been workarounds for some of these attacks, they demonstrated that several cryptographic standards in wide deployment are showing their age and should be retired,” said Toomey.
According to GitHub, 95% of HTTPS connections made to github.com and api.github.com already use TLSv1.2 and will not be affected by the deprecation of its predecessor.
With this in mind, the platform has recently been focusing on the impact of disabling the diffie-hellman-group1-sha1 and diffie-hellman-group14-sha1 key exchanges for SSH.
GitHub enabled the widely supported diffie-hellman-group-exchange-sha256 in September. This, it says, has allowed most legacy clients to seamlessly transition away from the older key exchanges.
“Cryptographic standards are ever evolving,” said Toomey. “It is the canonical game of security cat and mouse, with attacks rendering older standards ill-suited, and driving the community to develop newer and stronger standards to take their place.”