Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
A comparison of protocols offered by GitHub (for #git on Freenode).

Primary differences between SSH and HTTPS. This post is specifically about accessing Git repositories on GitHub.

Protocols to choose from when cloning:

plain Git, aka git://

  • Does not add security beyond what Git itself provides. The server is not verified.

    If you clone a repository over git://, you should check if the latest commit's hash is correct.

  • You cannot push over it. (But see "Mixing protocols" below.)

HTTPS, aka

  • HTTPS will always verify the server automatically, using certificate authorities.

  • (On the other hand, in the past years several certificate authorities have been broken into, and many people consider them not secure enough. Also, some important HTTPS security enhancements are only available in web browsers, but not in Git.)

  • Uses password authentication for pushing, and still allows anonymous pull.

  • Downside: You have to enter your GitHub password every time you push. Git can remember passwords for a few minutes, but you need to be careful when storing the password permanently – since it can be used to change anything in your GitHub account.

  • If you have two-factor authentication enabled, you will have to use a personal access token instead of your regular password.

  • HTTPS works practically everywhere, even in places which block SSH and plain-Git protocols. In some cases, it can even be a little faster than SSH, especially over high-latency connections.

HTTP, aka

  • Doesn't work with GitHub anymore, but is offered by some other Git hosts.

  • Works practically everywhere, like HTTPS.

  • But does not provide any security – the connection is plain-text.

SSH, aka or ssh://

  • Uses public-key authentication. You have to generate a keypair (or "public key"), then add it to your GitHub account.

  • Using keys is more secure than passwords, since you can add many to the same account (for example, a key for every computer you use GitHub from). The private keys on your computer can be protected with passphrases.

  • On the other hand, since you do not use the password, GitHub does not require two-factor auth codes either – so whoever obtains your private key can push to your repositories without needing the code generator device.

  • However, the keys only allow pushing/pulling, but not editing account details. If you lose the private key (or if it gets stolen), you can just remove it from your GitHub account.

  • A minor downside is that authentication is needed for all connections, so you always need a GitHub account – even to pull or clone.

  • You also need to carefully verify the server's fingerprint when connecting for the first time. Many people skip that and just type "yes", which is insecure.

  • (Note: This description is about GitHub. On personal servers, SSH can use passwords, anonymous access, or various other mechanisms.)

Mixing protocols


You can clone everything over git://, but tell Git to push over HTTPS.

[url ""]
    pushInsteadOf = git://

Likewise, if you want to clone over git:// or HTTPS, but push over SSH:

[url ""]
    pushInsteadOf = git://
    pushInsteadOf =

These go to your git config file – sometimes ~/.config/git/config, or ~/.gitconfig, or just run git config --edit --global.


You can also set different pull and push URLs for every remote separately, by changing in the repository's own .git/config:

[remote "origin"]
    url = git://
    pushUrl = ssh://sine/pub/git/rwho.git

Linked from gitinfo

Copy link

NikolausDemmel commented Mar 7, 2014

Hi, very interesting summary. I just stumbled across this.

You write that https can be faster than ssh. Do you have any source for this?

According to a description of the protocols used by git, I would assume that https is slower than ssh, or is https on github not the 'dumb' protocol described here [1]?


Copy link

grawity commented Mar 28, 2014

@NikolausDemmel: The data transfer is equally fast for both. It's the handshake (the connection setup) that is faster on high-latency networks. SSL / TLS has had many optimizations due to its usage for HTTPS – browsers create new connections often, so the handshake needs only 1-3 roundtrips, if I remember correctly.

Meanwhile, SSH connections usually last longer and are created less often, so the SSHv2 handshake has quite a few exchanges (I think I counted 5-6 once) until a data channel is finally opened.

Copy link

NikolausDemmel commented Apr 3, 2014

@grawity: Thanks for the update. Do you know how the https variant fits in the following discussion of different protocols used by git?

Copy link

kaitokidi commented Jan 28, 2015

interesting, thank you :)

Copy link

ghost commented Apr 17, 2016

Very interesting! On GitHub's setup tutorial, they say that you can choose between HTTPS or SSH, and that HTTPS is recommended, but no explanation as to why. This explanation should be added to that guide!

Copy link

Red-Eyed commented Apr 16, 2018

Thank you for the information!
I found that git:// works at least in 2X faster than https:// if you clone from the

Copy link

ldoron commented May 8, 2020

The page you link to about Git remembering passwords for HTTPS no longer has that info. It looks like GitHub moved it to

Copy link

prakash6654 commented Aug 19, 2021

Thank you for the information.
I was also looking for Personal Access Token based authentication.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment