Father of SSH Says Security Is 'Getting Worse'

alphadogg writes with an excerpt from an interview with the designer of SSH-1: "Tatu Ylönen has garnered fame in technology circles as the inventor of Secure Shell (SSH), the widely used protocol to protect data communications. The CEO of SSH Communications Security — whose crypto-based technology invented in 1995 continues to be used in hundreds of millions of computers, routers and servers — recently spoke with Network World on a variety of security topics, including the disappearance of consumer privacy and the plight of SSL. (At the Black Hat Conference this week, his company is also announcing CryptoAuditor.)"

People don't understand what security is.

[gurps_npc]

Let's start with a basic, real world example.

I have a home. On this home there is a lock.

Now, an ignorant fool might think the lock is there to keep other people out. Nope, they are wrong. You see, in addition to my lock, I have windows, doors, a roof and floors, and walls. None of them are made of unobatanium.

An intelligent 5 year old child, with no training whatsoever can break my window and climb into my house.

My lock is there fore two distinct purposes:

1. It tells the world that this place is private - that the owner does not want anyone to enter it and will try to punish those that violate it's privacy. It's a sign.

2. It lets me get into my house easily, while making it much more difficult for anyone else to get in without leaving clear and obvious signs that they have trespassed (i.e. a broken window.)

That's what the locks on my home do - notify the world of my privacy and create traceable evidence of a violation of that privacy.

We need to start using IT security for the same purpose. Among other things, that means that when you log on to any website, it should list the last time you logged, and from where (using either an IP address and/or a cookie to identify the device used).

I don't want, nor do I need, an unbreakable password. I want to know when I've had a trespasser.

Re:People don't understand what security is.

[Vellmont]

The problem with your analogy is that your house doesn't need to be super-dupe-secure because nobody has invented anonymous, instantly replicable robots that roam the countryside looking for open windows, and equipped with high speed glass cutters, valuable item detectors, and phone-home capabilities to alert a human when further action is warranted. This is routing on the internet.

This is the threat to you email address or bank account has to deal with. In your home you merely have to deal with the people around you who might rob you, and the occasional opportunistic criminal. On the internet, everyone is basically the same distance from everyone else, automation is cheap, and anonymity is common. Think that might lead to the need for more security than easily breakable glass windows? If all my shit is gone from my house, but my window is broken, I'm still not terribly happy that the thief was kind enough to let me know through the broken window.

Re:ssh

[QuantumRiff]

There is nothing wrong with SSL.. it works well to encrypt traffic between sites. its the way we manage the certificates that is ugly, and prone to lots of attacks and hacks. (How many Root CA's are automatically trusted by a browser?)

Just using DNSSEC to store the public keys for SSL would be a huge step up. No more trusting a company in the netherlands that signed your key for gmail.com. Just look it up in DNS. (yes, people could I guess hijack DNS), but that should be detected pretty quickly by comparing the keys between different computers in different regions.

Most people just want to encrypt the traffic between themselves and www.$x.com, and that the server that claims to be www.$x.com is the same one in DNS. I could really care less that www.$x.com is actually the company residing at a verified address, with letterhead, etc. Basically, domain validated certificates (which are pretty common for SSL now) shouldn't use a CA anymore.

Re:ssh

[vlm]

Most people just want to encrypt the traffic between themselves and www.$x.com, and that the server that claims to be www.$x.com is the same one in DNS. I could really care less that www.$x.com is actually the company residing at a verified address, with letterhead, etc.

Well, somebody's outed as not being able to answer "What a man in the middle attack?"

Re:it's because people don't value it.

[Vellmont]

Don't worry. Eventually there will be a huge FB breach of privacy story where FB starts selling all your info to the highest bidder. People will be outraged, FB will try to spin it into a non-story. Then another one will happen. Eventually people will over-react and FB will become the new Microsoft, with large amounts of people openly hating them. But unlike Microsoft the don't really have any powerful monopoly on anything where people can't just use something else. Eventually it'll suddenly become cool to NOT have a FB account, and people will turn to some other form of socialization online.

Re:it's because people don't value it.

[NatasRevol]

The names will change.

I doubt the security level will.