[Cryptography] Why aren’t we using SSH for everything?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sun Jan 4 01:44:15 EST 2015

Jerry Leichter <leichter at lrw.com> writes:

>In terms of programming interface, IPSEC is what you would design if you had
>a blank piece of paper and the goal of allowing any network-enabled program to
>work completely transparently.  This is how we generally add new functionality
>while retaining old code.

Unfortunately in terms of the protocol itself, IPsec is what you would design
if you had a palletload of paper, a standing committee of representatives from
multiple competing vendors, and about a decade of time you didn't want back.

More seriously, totally transparent security is a liability, not a feature,
since it's indistinguishable from security that's not present.  Arguably, the
mass failures of SSL/TLS in Android and iOS that researchers have reported on
in the last year or so have been due to attempts to make SSL/TLS fully
transparent: "Just gimme a secure link and don't bother me with details" (c.f.
"Shut up and take my money").

>But for whatever reason, SSH has continued to exist as a standalone program
>rather than a library, which makes configuration more complex for the
>unsophisticated user.

It's actually very, very difficult to turn SSH into a library.  Take for
example SFTP, which pretends to be a protocol but is actually an RPC mechanism
for the Posix filesystem API.  Do you know just how *hard* it is to turn that
into a library?  If you're the client and all you want to do is "put file" and
"get file" it's easy enough (for some values of "easy", consider what happens
when one side talks NTFS and the other ext3), but if you're the server you
have to be able to process arbitrarily complex operations, and sequences of
operations, from the client.  The SFTP spec is in fact so complex that most
implementations are still several versions behind the most recent unfinished-
draft version, and there's no sign that they'll ever be updated.

Having implemented quite a number of security protocols over the years (except
for IPsec, I'm not that crazy), SSH is by far the most complex and awkward to
do.  Even the baroque monstrosities dreamed up by PKIX aren't as complex as
SSH is.

The reason why SSH (as OpenSSH) is primarily a standalone app with a million
options and extensive fallback to user intervention is because the protocol is
so complex that you can't really do it any other way.  Many years ago I wrote
up a proposal called SimpleSSH that profiles SSH to do about 99% of what about
99% of users want (secure telnet, get file, put file), which removed... not
sure, maybe 75% of all of the complexity with no loss in functionality for
most users (and resulted in a considerable increase in security, it's still
way too easy to crash SSH servers by sending completely valid but unexpected
options, my code has all sorts of checks for various vendors' gear to make
sure it doesn't send something that'll hang or reboot it).  I never published
the SimpleSSH proposal because I couldn't see it getting much support...


More information about the cryptography mailing list