Tatu Ylönen (Lic.Sc.), the inventor of the Secure Shell (SSH) protocol participated an interactive Q&A session at WHD.global before granting an exclusive interview to WebHosting.info in which he explained how information security and privacy issues led to his invention.
Today, 20 years after its invention, the SSH protocol is a de-facto standard of secure system administration and file transfers for confidential information. The SSH protocol is used daily on millions of networked computers and other devices.
Tatu, how and why did you begin developing the SSH protocol?
Back in 1995, I was a database researcher working on information retrieval. There was a hacking incident at the Finnish University. A password sniffer was sitting on the university backbone. When so many usernames/passwords were exposed, I thought “What can I do to make this communication safer?” I knew nothing of cryptography at the time but through thorough research, I published the first version of the SSH protocol as open source 3 months later. By the end of the year, I was getting hundreds of emails asking about it.
So was security the only motivation?
I didn’t create it just for security. There was a debate at the time about cryptography. The US government wanted to listen in on all communications with their “clipper chip”. I felt that it wasn’t just about spying, it was a type of information or “cyber warfare”. If you can read all usernames and passwords, you can break into any system. It also gave power to shut down the systems of other countries and could have been a powerful weapon.
The concept of certain parties being given free access to secure systems, I didn’t think this is a safe world and I wanted to make the world safer.
Was it hard to do? Did you have any help?
Any competent programmer can write a cryptographic program within a few months, which is why I feel it cannot be a closed environment. Critical systems across all spectrums of society use SSH. From Education, Health Care, Power Grids and even Government & Military systems, I like to say that SSH keeps the world running.
Do you fear that since it has become so crucial that it might be dangerous if it’s compromised?
I will admit that the first SSH wasn’t the best. I did not fully understand every aspect of cryptography then. It was usable but there were some potential problems that kept me up at night! That’s why we released SSH2 which is pretty good and hasn’t been broken by any civilian bodies. Even the military uses it so it must be pretty good.
What are the problems that you perceive in the way people go about building their systems?
SSH uses cryptographic keys, with a public key and a private key. We’ve done audits with several organizations. We’ve found anywhere between seven hundred and fifty thousand to four million keys. That’s incredible. In one of our audits, 90% of SSH keys were never used. They were access credentials that had not been properly terminated. And this was in one of the most active IT companies in the world in a large IT environment.
There needs to be proper auditing of this process in order to ensure it is secure. In one of the cases, we found an employee in a health care service who left a company 10 years ago and when he came back, the key still worked!
Think of 3 million keys on 15,000 servers. Assume you break into one server somehow – through some malware or a rogue sys-admin – the keys on that server will allow you to initiate attacks on multiple other servers.
What advice do you have for web hosts to secure their business? Especially SMBs who haven’t had a lot of time to devote to security.
Ultimately the problems are not with SSH keys but the management of it and therefore that needs to be tightened.
While auditing and helping one particular company over 4 years, we developed a product that solves this. We do things like monitor the environment through sys-logs to identify keys that are no longer used, identifying 90% of unused keys. We have a product called the Universal SSH Key Manager that can help getting visibility into SSH keys and establishing a process for managing them. Especially for medium-sized companies, just controlling access to the environment by third-parties is important.
Are there any other things that you would recommend they do in order to have a more secure system?
Basically, you can control SSH keys by hand in a small environment. You can do an inventory and manually delete extra keys. But I think it’s important to see that they grant access – same as usernames and passwords – and need to consider identity and access management for their systems.
Let’s delve into the past a little. A few years ago, when Heartbleed came out, you were quite critical about SSL and had some concerns about the security environment. How have your thoughts changed in the last few years?
I am actually somewhat optimistic! Though I still believe security has to be engineered into systems. I am somewhat skeptical about anti-virus or intrusion-detection systems. My beliefs lie in building systems that are secure from the beginning. That means programming languages that are secure and other tools that are designed to be robust.
Who do you believe should be taking the lead in creating more secure systems?
Part of it has to be the Open Source community but there’s so much commercial software out there that it basically affects every vendor. Companies must push both the Open Source community and commercial software makers to provide them with secure software.
I think it’s also something the governments can push through to give incentives to companies to make sure that systems are secure. I think in many cases, especially with bigger companies, the problems can be systemic and critical for the functioning of the society.
Speaking about the role of the government, one of the things that everyone has been talking about lately is the US Govt’s request to Apple for backdoor access. Do you consider that a worry to the future of secure systems?
I wouldn’t sign off on building backdoors into systems. I think it’s dangerous. We are still paying the price for what they did 20 years ago. There have been 2 major vulnerabilities with SSL that relate to Export Trade Encryption that was forced into SSL by the US Government in the mid-90s.
The way I see it, the bad guys can get their own unbreakable encryption anyway. This is only about monitoring ordinary people, business and competing countries. If you look at an information society, where does the competitive advantage come from? It comes from proprietary customer information, trade secrets, confidential process, all of which will have monetary value.
You had said that even in your wildest dreams you did not see SSH be as widely used as it is. What do you see the future being since SSH2 has been around for 15 years already?
I think the use of SSH will continue for a long time. There’s nothing that can replace it in sight. I think there’s going to be improvements down the road in things like how to authenticate hosts in a better way in large environments so eventually there will be an SSH3 and IETF (Internet Engineering Task Force), the standards & systems body is looking into currently what algorithms should be supported and such.
Are you involved in that?
I am following the work.
On a lighter note, I read about how it’s possible to SSH into a coffee machine. What is the most interesting thing you have ever SSH’ed into?
I have SSH’ed into a phone. I know some people SSH into Harbour Cranes! (laughs)
I was once on an airplane with my son and there was some malfunction in the entertainment system and it was rebooting all the time. And one of the lines on the screen was SSH!