[palata]

My guess would be that HTTPS checks the certificate, but SSH does not (does it?). First time you connect to a server with SSH, you have to accept a fingerprint. And once in a while it complains for some reason, and the typical move is to erase the file that stores those fingerprints, right?

Well this is not the right way to do it (vulnerable to MITM), but that's how I see most people use it.

Your hardware key mostly ensures that nobody steals your private key, but it cannot magically authenticate the remote server (which is what you need against MITM).

[cesarb]

> [...] And once in a while it complains for some reason, and the typical move is to erase the file that stores those fingerprints, right? Well this is not the right way to do it (vulnerable to MITM), but that's how I see most people use it.

Yes, that's vulnerable to MITM, but with a caveat: that MITM could impersonate github to your machine, but it could not impersonate your machine to github. That is, it could present modified data to your git client, but it would have no access to your github account. With HTTPS without client certificates, once someone successfully impersonates github to your git client, they have the same access to github that your git client has. (HTTPS with client certificates would be as secure as using SSH keys, since the MITM could not impersonate the client to the github server.)