Tatu Ylonen, father of SSH, says security is 'getting worse'

Tatu Ylonen has garnered fame in technology circles as the inventor of Secure Shell (SSH), the widely used protocol to protect data communications. The CEO of SSH Communications Security -- whose crypto-based technology invented in 1995 continues to be used in hundreds of millions of computers, routers and servers -- recently spoke with Network World on a variety of security topics. (At the Black Hat Conference this week, his company is also announcing CryptoAuditor.)

In the past we've discussed your growing up in Finland during the Cold War. And we've talked about how you invented SSH encryption as an open protocol in the 1990s when the U.S. was trying to force vendors to install a key-escrow system in every product using encryption so the government could gain access to encrypted data. So do you think the world's security is better now or worse?

I think it's getting worse. Consumer privacy is disappearing totally. And SSL [Secure Sockets Layer] is being questioned and the problem isn't the protocol itself but the key infrastructure. There have been several incidents where someone has stolen from the certificate authorities.

IN THE NEWS: Victim of half-million dollar cybercrime tells tale of fighting back

This stolen SSL certificate issue is certainly well known. Do you think SSL is useless?

Probably not useless but less useful than ever. It's much too easy for someone to break the encryption itself by creating fake certificates. Any major government can do it, as well as criminal organizations. And they are doing it. Definitely, we see the example for this in the Flame virus, forging certificates.

But what if anything could replace the SSL certificate infrastructure?

For consumers in the short term, no. But SSH is an option, especially for automation. It would require an extension to SSH. I actively proposed it to replace SSL 15 years ago but I was basically railroaded at the IETF by Microsoft and Sun!

As you mentioned, consumer privacy is disappearing online, especially with the kind of hyperactive marketing we do full-tilt in the U.S. Does the European viewpoint on data privacy for consumers seem to differ?

Laws are tighter in Europe but people use the same services. The real problem in my view is that you can target information to modify how they think. ... When you can control information for people -- it's an extremely powerful political tool.

That brings to mind that the Russia parliament just passed an Internet censorship bill. What do you think about that?

It's worrisome. Information that's gathered is highly valued for cyberwarfare because people can always get access codes and backdoors into people's home computers with malware, via e-mail or whatever. On the enterprise side, firewalls are becoming less and less protective because it's difficult to do firewalling when traffic is encrypted. Take the highly specific malware, such as when RSA was compromised. That was a customized email pretending to be something else. The more you know about targets, the more you can send them.

Stuxnet and Flame are now believed to be cyberwarfare tools developed by the U.S. and Israel, with President Obama authorizing use of Stuxnet against Iran. Is this kind of cyber-weapon something that should be part of arms negotiations, for instance, or just the new normal for governments?

It's fast going to be the new normal. Secret wars? I hope not. But it might be. Flame took advantage of a fake Microsoft Update Service. Whoever controls your Internet access can install anything they want.

Attackers can gain a lot of information from the information we leave about ourselves on social networking sites. Is social networking too risky to use?

The technology is too important to not use it. We need the Internet and social-networking tools.

So when it comes to SSH, is this still an open protocol?

SSH is fully open and implementations are fully interoperable. We have extensions in our products, which are mostly used in embedded systems. It's to protect passwords and any other data you don't want to pass in the clear over the Internet or even your internal network. It's mostly used by systems administrators. There have basically been two version of the SSH protocol over the years, SSH1 and SSH2, which has been around about 15 years.

So we've heard a lot over the years about SSH used in the enterprise. But what about for cloud services? Does it fit there?

Every cloud service provider uses SSH to manage the cloud. Amazon uses SSH to manage the underlying infrastructure in two layers. There's a need to manage the keys for automation. Those keys provide access from one computer to another. Banks and every other major system out there could have 100,000 servers and 200,000 to 400,000 authentication keys. When we talk to the cloud service providers, it's in the eight digits in terms of the numbers of servers. How do we make that scale and automate the system?

Key management has always been a tough problem. But you say this issue of figuring out key management is now harder than ever?

We work a lot with the large banks that use SSH. When we go to look at their networks, which are automated, they have something like eight authentication keys for access to the network. Some haven't changed in 10 years! It's a ticking time bomb. Sometimes they don't know who can access the systems. At one large bank, there are 200 systems administrators setting up keys for 200,000 systems. These are small files. Someone could copy all the keys in a USB stick. The key continues to provide access even after you've left the organization.

The authorization keys grant you the same access as a password. You can change the encryption software. This is something that's a problem. This has been fairly little known and unnoticed for the last 15 years. Organizations haven't really handled the management of the keys. It's so technical, so deep inside the systems. Auditors haven't known about it. This is a top focus for us.

Starting this spring, we've been piloting Universal SSH Key Manager, piloting it with a customer, for machine-to-machine communications. It solves three problems, knowing what you have, the trusted relationship with computers, and automating the management of the keys. One customer has a 15-person dedicated team doing key management, and they've had three failed projects trying to solve this problem.

So what is the CryptoAuditor product that SSH Communications Security is announcing today?

It's for auditing encrypted connections for visibility of content in an encrypted session. You have internal firewalls and all the connections are encrypted. We work with DLP [data-loss prevention] providers and others with the ICAP protocol. The goal is to control what gets transmitted across the firewall, and for auditing.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts