On Tuesday, Jun 3, 2003, at 01:13 US/Eastern, Lucky Green wrote:
Given that SSL use is orders of magnitude higher than that of SSH, with no change in sight, primarily due to SSL's ease-of-use, I am a bit puzzled by your assertion that ssh, not SSL, is the "only really successful net crypto system".
(I noticed that SSL and HTTPS are sometimes used interchangeably in this thread and sometimes not (i.e. STARTTLS). I'll concentrate on HTTPS in this mail. Note that HTTPS is slightly broader than just SSL: it also includes the browser interface.) Absolute numbers are one measure. Another would be to consider the ratio of HTTPS/HTTP and SSH/telnet. You could define a successful protocol by ability to displace its unprotected equivalent. I for one would consider that a more useful measure. I bet you find that HTTPS is non-existent according to this definition, completely disappearing in the noise. Interestingly (and IMHO correctly) enough OpenPGP fails this test too. Miserably. Perhaps that measure is too coarse grained. For instance, in the domain of "security advisories" most emails are digitally signed with OpenPGP. And in the domain of online credit card payments HTTPS has displaced HTTP. But HTTPS covers only those transactions for which users demand protection. Actually, that isn't quite correct. It is those transactions for which the users want to *feel* [2] protected. It is mindbogglingly easy to spoof an HTTPS site. Either with or without the impostor using a certificate. (Today, I can register http://www.e-g0ld.com/ and obtain a matching certificate for $100. All the user will see is a lock icon and he thinks he is safely on http://www.e-gold.com/.) A large part of the problem obviously is the browser's user interface. The other part mainly concerns the use of CA certificates. Self-signed certificates only compound the problem by teaching the user bad habits. ("Oh, if the browser asks a question, just click yes." Guess what: people will now always click "YES" on certificate related questions, whatever the question or warning is.) Penetration? Even privacy-sensitive sites like, say, http://www.cypherpunks.to/ do not utilize HTTPS by default. The possibility of HTTPS access isn't even mentioned on the homepage. No support for RFC 2817 and no transparent redirect either. You have to manually change http: to https: for it to work. Same for http://www.cryptorights.org/. When you manually go to the HTTPS version you will note that they use a self-signed certificate which: a) requires user interaction and a user knowing what she is doing; b) erodes the value of security questions (through teaching bad habits) c) doesn't cache the key so subsequent MITM attacks are not defended against. Another sensitive site? How about HTTPS access to Google ... ? SSH on the other hand succeeded in protecting network infrastructure nearly transparently. It virtually replaced telnet in places where it matters (and a whole lot where it doesn't). I don't have to change addresses or port numbers. Open-source UNIXes have it enabled by default. It completely redefined how X screens are remoted for the (small?) set of users that are interested in that. Of course its protocol isn't perfect and it certainly is vulnerable to the MITM on the first connection. But I bet it offers more real protection than HTTPS, as *presently* implemented, ever will. SSH is the closest thing to opportunistic encryption I know of. I guess this is qualified agreement with Ian's statement that SSH is the "only really successful net crypto system". I can only hope that people will adopt the displacement ratio as a measure of success and design their protocols (all the way up to the user interface) accordingly. Lifting and modifying a quote from Peter Gutmann's homepage: "I think a lot of purists would rather have cryptographic protocols be useless to anyone in any practical terms than to have it made simple enough to use, but potentially "flawed"." -- with apologies to Chris Zimman. -J [1] One exception would be the subset of mail roughly corresponding to security advisories. There OpenPGP signatures are the norm. [2] Airport "security" anyone? -- Jeroen C. van Gelderen - jeroen@vangelderen.org A single glass of beer was passed, from which I was the last one to sip - a ritual signifying that I was not to be poisoned.