RE: Maybe It's Snake Oil All the Way Down
"Lucky Green" <shamrock@cypherpunks.to> writes:
I trust that we can agree that the volume of traffic and number of transactions protected by SSL are orders of magnitude higher than those protected by SSH. As is the number of users of SSL. The overwhelming majority of which wouldn't know ssh from telnet. Nor would they know what to do at a shell prompt and therefore have no use for either ssh or telnet.
Naah, that third sentence is wrong. It's: The overwhelming majority of [SSL users] wouldn't know SSL from HTTP with a padlock GIF in the corner.
Given that SSL use is orders of magnitude higher than that of SSH, with no change in sight, primarily due to SSL's ease-of-use, I am a bit puzzled by your assertion that ssh, not SSL, is the "only really successful net crypto system".
I think the assertion was that SSH is used in places where it matters, while SSL is used where no-one really cares (or even knows) about it. Joe Sixpack will trust any site with a padlock GIF on the page. Most techies won't access a Unix box without SSH. Quantity != quality. If you could wave a magic wand and make one of the two protocols vanish, I'd notice the loss of SSH immediately (I couldn't send this message for starters), but it would take days or weeks before I noticed the loss of SSL. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
On Wed, Jun 04, 2003 at 01:11:51AM +1200, Peter Gutmann wrote: | "Lucky Green" <shamrock@cypherpunks.to> writes: | | >I trust that we can agree that the volume of traffic and number of | >transactions protected by SSL are orders of magnitude higher than those | >protected by SSH. As is the number of users of SSL. The overwhelming majority | >of which wouldn't know ssh from telnet. Nor would they know what to do at a | >shell prompt and therefore have no use for either ssh or telnet. | | Naah, that third sentence is wrong. It's: | | The overwhelming majority of [SSL users] wouldn't know SSL from HTTP with a | padlock GIF in the corner. | | >Given that SSL use is orders of magnitude higher than that of SSH, with no | >change in sight, primarily due to SSL's ease-of-use, I am a bit puzzled by | >your assertion that ssh, not SSL, is the "only really successful net crypto | >system". | | I think the assertion was that SSH is used in places where it matters, while | SSL is used where no-one really cares (or even knows) about it. Joe Sixpack | will trust any site with a padlock GIF on the page. Most techies won't access | a Unix box without SSH. Quantity != quality. | | If you could wave a magic wand and make one of the two protocols vanish, I'd | notice the loss of SSH immediately (I couldn't send this message for | starters), but it would take days or weeks before I noticed the loss of SSL. One of the papers at the security and econ workshop last week asserted that the reason ssh took off was actually because it makes life easier if you need to munge X displays. ADam -- "It is seldom that liberty of any kind is lost all at once." -Hume --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
At 09:11 AM 6/3/2003, Peter Gutmann wrote:
"Lucky Green" <shamrock@cypherpunks.to> writes:
Given that SSL use is orders of magnitude higher than that of SSH, with no change in sight, primarily due to SSL's ease-of-use, I am a bit puzzled by your assertion that ssh, not SSL, is the "only really successful net crypto system".
I think the assertion was that SSH is used in places where it matters, while SSL is used where no-one really cares (or even knows) about it. Joe Sixpack will trust any site with a padlock GIF on the page. Most techies won't access a Unix box without SSH. Quantity != quality.
I have my own opinion on what this assertion means. :-) I believe it intends to state that ssh is more successful because it is the only Internet crypto system which has captured a large share of its use base. This is probably true: I think the ratio of ssh to telnet is much higher than the ratio of https to http, pgp to unencrypted e-mail, or what have you. However, I think SSL has been much more successful in general than SSH, if only because it's actually used as a transport layer building block rather than as a component of an application protocol. SSL is used for more Internet protocols than HTTP: it's the standardized way to secure POP, IMAP, SMTP, etc. It's also used by many databases and other application protocols. In addition, a large number of proprietary protocols and custom systems use SSL for security: I know that Certicom's SSL Plus product (which I originally wrote) is (or was) used to secure everything from submitting your taxes with TurboTax to slot machine jackpot notification protocols, to the tune of hundreds of customers. I'm sure that when you add in RSA's customers, those of other companies, and people using OpenSSL/SSLeay, you'll find that SSL is much more broadly used than ssh. I'd guess that SSL is more broadly used, in a dollars-secured or data-secure metric, than any other Internet protocol. Most of these uses are not particularly visible to the consumer, or happen inside of enterprises. Of course, the big winners in the $-secured and data-secured categories are certainly systems inside of the financial industry and governmental systems. - Tim
Tim Dierks wrote:
At 09:11 AM 6/3/2003, Peter Gutmann wrote:
"Lucky Green" <shamrock@cypherpunks.to> writes:
Given that SSL use is orders of magnitude higher than that of SSH, with no change in sight, primarily due to SSL's ease-of-use, I am a bit puzzled by your assertion that ssh, not SSL, is the "only really successful net crypto system".
I think the assertion was that SSH is used in places where it matters, while SSL is used where no-one really cares (or even knows) about it. Joe Sixpack will trust any site with a padlock GIF on the page. Most techies won't access a Unix box without SSH. Quantity != quality.
I have my own opinion on what this assertion means. :-) I believe it intends to state that ssh is more successful because it is the only Internet crypto system which has captured a large share of its use base. This is probably true: I think the ratio of ssh to telnet is much higher than the ratio of https to http, pgp to unencrypted e-mail, or what have you.
Certainly, in measureable terms, Tim's description is spot on. I agree with Peter's comments, but that's another issue indeed.
However, I think SSL has been much more successful in general than SSH, if only because it's actually used as a transport layer building block rather than as a component of an application protocol. SSL is used for more Internet protocols than HTTP: it's the standardized way to secure POP, IMAP, SMTP, etc. It's also used by many databases and other application protocols. In addition, a large number of proprietary protocols and custom systems use SSL for security: I know that Certicom's SSL Plus product (which I originally wrote) is (or was) used to secure everything from submitting your taxes with TurboTax to slot machine jackpot notification protocols, to the tune of hundreds of customers. I'm sure that when you add in RSA's customers, those of other companies, and people using OpenSSL/SSLeay, you'll find that SSL is much more broadly used than ssh.
Design wins! Yes, indeed, another way of measuring the success is to measure the design wins. Using this measure, SSL is indeed ahead. This probably also correlates with the wider support that SSL garners in the cryptography field.
I'd guess that SSL is more broadly used, in a dollars-secured or data-secure metric, than any other Internet protocol. Most of these uses are not particularly visible to the consumer, or happen inside of enterprises. Of course, the big winners in the $-secured and data-secured categories are certainly systems inside of the financial industry and governmental systems.
That would depend an awful lot on what was meant by "dollars-secured" and "data-secured" ? Sysadmins move some pretty hefty backups by SSH on a routine basis. -- iang --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
participants (4)
-
Adam Shostack -
Ian Grigg -
pgut001@cs.auckland.ac.nz -
Tim Dierks