Maybe It's Snake Oil All the Way Down

Tim Dierks tim at dierks.org
Tue Jun 3 08:14:46 PDT 2003 

At 09:11 AM 6/3/2003, Peter Gutmann wrote:
>"Lucky Green" <shamrock at cypherpunks.to> writes:
> >Given that SSL use is orders of magnitude higher than that of SSH, with no
> >change in sight, primarily due to SSL's ease-of-use, I am a bit puzzled by
> >your assertion that ssh, not SSL, is the "only really successful net crypto
> >system".
>
>I think the assertion was that SSH is used in places where it matters, while
>SSL is used where no-one really cares (or even knows) about it.  Joe Sixpack
>will trust any site with a padlock GIF on the page.  Most techies won't access
>a Unix box without SSH.  Quantity != quality.

I have my own opinion on what this assertion means. :-) I believe it 
intends to state that ssh is more successful because it is the only 
Internet crypto system which has captured a large share of its use base. 
This is probably true: I think the ratio of ssh to telnet is much higher 
than the ratio of https to http, pgp to unencrypted e-mail, or what have you.

However, I think SSL has been much more successful in general than SSH, if 
only because it's actually used as a transport layer building block rather 
than as a component of an application protocol. SSL is used for more 
Internet protocols than HTTP: it's the standardized way to secure POP, 
IMAP, SMTP, etc. It's also used by many databases and other application 
protocols. In addition, a large number of proprietary protocols and custom 
systems use SSL for security: I know that Certicom's SSL Plus product 
(which I originally wrote) is (or was) used to secure everything from 
submitting your taxes with TurboTax to slot machine jackpot notification 
protocols, to the tune of hundreds of customers. I'm sure that when you add 
in RSA's customers, those of other companies, and people using 
OpenSSL/SSLeay, you'll find that SSL is much more broadly used than ssh.

I'd guess that SSL is more broadly used, in a dollars-secured or 
data-secure metric, than any other Internet protocol. Most of these uses 
are not particularly visible to the consumer, or happen inside of 
enterprises. Of course, the big winners in the $-secured and data-secured 
categories are certainly systems inside of the financial industry and 
governmental systems.

  - Tim

More information about the cypherpunks-legacy mailing list