Maybe It's Snake Oil All the Way Down

Ian Grigg iang at systemics.com
Tue Jun 3 11:38:50 EDT 2003


Lucky Green wrote:
> 
> Ian Grigg wrote:
> > Also, a lot of cryptosystems are put together
> > by committees.  SSH was originally put together
> > by one guy.  He did the lot.  Allegedly, a fairly
> > grotty protocol with a number of weakneses, but
> > it was there and up and running.  And SSH-2 is
> > apparantly nice, elegant and easy to understand,
> > now that it has been fixed up.
> 
> ssh2 is in essence a re-invention of what SSL did without having to use
> X.509 keys. This reinvention was, IMHO, largely the result of the
> limitations of the ssh1 design.

OK.  Learning more every day :-)

> > (SSH is the only really successful net crypto
> > system, IMHO, in that it actually went into its
> > market and made a mark.  It's the only cryptosystem
> > that is as easy to use as its non-crypto competitor,
> > telnet.  It's the only one where people switch and
> > never return.)
> 
> I trust that we can agree that the volume of traffic and number of
> transactions protected by SSL are orders of magnitude higher than those
> protected by SSH. As is the number of users of SSL. The overwhelming
> majority of which wouldn't know ssh from telnet. Nor would they know
> what to do at a shell prompt and therefore have no use for either ssh or
> telnet.

Indeed!  Although I trust that we can also look at many
different ways of measuring success.

In order to *compare* success, like for like, we have
to start with an understanding of the marketplace for
each system, and assume that the marketplace for each
application is its universe.

I (arbitratrily) define the marketplace for SSL as
browsing.  (I.e., HTTP, as used between a browser
and a webserver.  The SSL protected part might be
referred to as HTTPS.  This of course ignores all
the other users of the protocol.)

There, we can show statistics that indicate that SSL
has penetrated to something slightly less than 1% of
servers.  It would of course be interesting to see
what the bandwidth figures are like, for example,
but I wouldn't be surprised if they are also less
than 1% (think about all those yahoo monsters that
overflow your POTS).

The fact that a user of SSL is neither aware nor
capable of being protected by SSH is irrelevant,
neither is a sysadmin concerned in his job with
protecting his work with SSL.

(Actually that's not true;  there was an SSL terminal
system for a while, as an adjunct to SSLeay, but
that is a dead or dying protocol, rapidly replaced
by SSH whenever the two entered competition.  Which
is a good thing, the SSL terminal was a nightmare
to get going, due to its insistance on hand crafting
certificates.).

> Given that SSL use is orders of magnitude higher than that of SSH, with
> no change in sight, primarily due to SSL's ease-of-use, I am a bit
> puzzled by your assertion that ssh, not SSL, is the "only really
> successful net crypto system".

SSL's 1% penetration into the browsing market doesn't
strike me as successful.

If I was "selling SSL" as a business, I'd be looking
at the other 99% and wondering why it's just sitting
there, not being sold.  As there are big expensive
companies doing just that;  then I guess they have
tried.

Have a look at the penetration reports on
http://www.securityspace.com/

On the other hand, SSH, as a cryptosystem, as an
application (think: replacement for telnet, not as
competitor to the SSL protocol) penetrates its market
very well.  I have no more than anecdotal evidence
for that, but any sysadmin knows that once they
started using SSH, they would never go back to the
alternate unless forced, kicking and screaming.

It would be very interesting to find out what SSH
v. telnet traffic looks like.

That's what I mean by success.  Within its market
place, SSH rules.

-- 
iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list