Git Auth: HTTPS vs SSH

I hold the opinion that you can read into how a developer connects to their git repositories as a litmus test for other aspects of how they do things.

To “steel man” the usage of HTTPS. The obvious reason is that it’s easier to get started. People are familiar with username/password authentication and it translates directly here. The other big reason is port blocking on corporate networks. Port availability may not be within your control, and that could cause a headache.

I am going to assume a few things.
1. You are a developer
2. You aren’t oppressed with overly zealous corporate network security policies
3. You aren’t afraid of the command line

If those things are true, you may agree with me. Just because SSH is a tiny bit more effort to set up, it has many more advantages to authenticating with HTTPS. The biggest – the show stopper – reason is that those credentials unlock your entire account. If they are compromised in any way, you are completely left with your pants down. The number of times you communicate over the internet while developing, whether it be to fetch, pull, push, or anything else, you are risking exposure of those credentials. A compromised SSH key only provides access to the repositories. It can be revoked and a new one created. Do you have a credit card attached to your github account? Why would you risk the keys to your kingdom multiple times a day?

Once you have your SSH keys set up, it’s far easier to use and manage. There’s nothing to remember (unless you put a password on your key – even better security!). Once you are comfortable creating and managing keys, the applications for its use extend far beyond git repos. It immediately lends itself to server management and devops tasks.

The real reason Github recommends HTTPS over SSH is that it’s easier to support the lowest common denominator user. That’s not where I want to place myself, do you?

So what can you assume when you encounter a developer that uses HTTPS authentication?

– They read documentation. Github does
recommend HTTPS in its setup guide.
– They are probably on Windows
– They don’t use the terminal very often
– They don’t do much server administration

While none of this speaks directly to the intelligence or capabilities of the developer, it does say things about experience and how deep they are down the tech rabbit hole. It also telegraphs the kind of experience you will have developing with them.

As a developer, I recommend switching to SSH authentication for your git repositories. You’ll learn a few things worth knowing, you’ll be more secure, and you’ll ascend beyond the mass market instruction set on network communication setup.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.