GitHub introduces hybrid post-quantum SSH security to better protect Git data in transit

GitHub is deploying a new hybrid post-quantum secure SSH key exchange algorithm to enhance the security of accessing Git data. This update is aimed at strengthening user protection when connecting over SSH.

The algorithm combines Streamlined NTRU Prime, a post-quantum-secure protocol, with the classical elliptic curve Diffie-Hellman method using the X25519 curve. While post-quantum algorithms have undergone less scrutiny than established methods, this hybrid approach ensures that the overall security level is never weaker than the classical algorithm alone. As a result, SSH connections on GitHub are now protected against potential decryption by both current and future quantum computers.

While these changes bring forward enhanced protection for SSH users, they do not impact those accessing repositories over HTTPS. The new cryptographic measures also exclude GitHub Enterprise Cloud customers whose data resides in the United States, since only FIPS-approved cryptography is permitted in that region and the post-quantum method has not received FIPS approval.