Discontinue support for weak cryptographic standards

Cryptographic standards are ever evolving. It is the canonical game of security cat and mouse, with attacks rendering older standards ill-suited, and driving the community to develop newer and stronger…

Patrick Toomey
4 min readadvanced
--
View Original

Overview

The article discusses GitHub's decision to discontinue support for outdated cryptographic standards, specifically TLSv1, TLSv1.1, diffie-hellman-group1-sha1, and diffie-hellman-group14-sha1. It emphasizes the importance of upgrading to stronger standards to enhance security and outlines the steps GitHub will take to minimize user impact.

What You'll Learn

1

How to upgrade your systems to support TLS 1.2 or higher

2

Why it is critical to discontinue weak cryptographic standards

3

How to implement diffie-hellman-group-exchange-sha256 for SSH connections

Prerequisites & Requirements

  • Understanding of cryptographic standards and their implications
  • Familiarity with SSH and TLS configurations

Key Questions Answered

What cryptographic standards is GitHub discontinuing support for?
GitHub is discontinuing support for TLSv1, TLSv1.1, diffie-hellman-group1-sha1, and diffie-hellman-group14-sha1 due to their vulnerabilities and the need for stronger security measures.
When will the deprecated cryptographic standards be disabled?
The deprecated cryptographic standards will be disabled on February 1, 2018, as part of GitHub's efforts to enhance security.
What percentage of HTTPS connections to GitHub will be affected by this change?
Approximately 95% of HTTPS connections to GitHub use TLS 1.2 and will not be affected by the deprecation of TLSv1 and TLSv1.1.
What steps is GitHub taking to minimize user impact from this change?
GitHub plans to post quarterly updates, reach out to popular projects, and update their SSH implementation to support diffie-hellman-group-exchange-sha256 to minimize user impact.

Key Statistics & Figures

Percentage of HTTPS connections using TLS 1.2
95%
This statistic highlights the majority of connections to GitHub that will remain unaffected by the deprecation.
Percentage of SSH connections compatible with contemporary algorithms
75%
This indicates that a significant majority of users will not be impacted by the removal of older SSH key exchange algorithms.
Estimated percentage of clients affected by the removal of legacy algorithms
5%
This estimate reflects the minority of clients that will need to upgrade to maintain compatibility.

Technologies & Tools

Security Protocol
TLS
Used for securing communications over the internet.
Protocol
SSH
Used for secure shell access and file transfers.

Key Actionable Insights

1
Developers should prioritize upgrading their systems to support TLS 1.2 or higher to avoid security vulnerabilities.
As older standards like TLSv1 and TLSv1.1 are phased out, ensuring compatibility with newer standards is crucial for maintaining secure connections.
2
Consider implementing diffie-hellman-group-exchange-sha256 in your SSH configurations to enhance security.
This newer algorithm is not subject to the vulnerabilities that affect older key exchange algorithms, ensuring safer communications.
3
Stay informed about cryptographic standards and their deprecation timelines to prepare for necessary upgrades.
Regularly checking updates from platforms like GitHub can help developers anticipate changes and adapt their systems accordingly.

Common Pitfalls

1
Failing to upgrade systems that rely on outdated cryptographic standards can lead to security vulnerabilities.
Many developers may overlook the importance of updating their libraries and systems, which can expose them to attacks leveraging deprecated protocols.

Related Concepts

Cryptography
Security Protocols
TLS And SSL
SSH Key Exchange Algorithms