Skip Links

Tatu Ylonen, father of SSH, says security is 'getting worse'

Q&A: Creator of Secure Shell protocol on cyberwarfare, and why key management can be a 'ticking time bomb'

By , Network World
July 25, 2012 12:01 AM ET
Tatu Ylonen

Network World - Tatu Ylonen has garnered fame in technology circles as the inventor of Secure Shell (SSH), the widely used protocol to protect data communications. The CEO of SSH Communications Security -- whose crypto-based technology invented in 1995 continues to be used in hundreds of millions of computers, routers and servers -- recently spoke with Network World on a variety of security topics. (At the Black Hat Conference this week, his company is also announcing CryptoAuditor.)

In the past we've discussed your growing up in Finland during the Cold War. And we've talked about how you invented SSH encryption as an open protocol in the 1990s when the U.S. was trying to force vendors to install a key-escrow system in every product using encryption so the government could gain access to encrypted data. So do you think the world's security is better now or worse?

I think it's getting worse. Consumer privacy is disappearing totally. And SSL [Secure Sockets Layer] is being questioned and the problem isn't the protocol itself but the key infrastructure. There have been several incidents where someone has stolen from the certificate authorities.

IN THE NEWS: Victim of half-million dollar cybercrime tells tale of fighting back

This stolen SSL certificate issue is certainly well known. Do you think SSL is useless?

Probably not useless but less useful than ever. It's much too easy for someone to break the encryption itself by creating fake certificates. Any major government can do it, as well as criminal organizations. And they are doing it. Definitely, we see the example for this in the Flame virus, forging certificates.

But what if anything could replace the SSL certificate infrastructure?

For consumers in the short term, no. But SSH is an option, especially for automation. It would require an extension to SSH. I actively proposed it to replace SSL 15 years ago but I was basically railroaded at the IETF by Microsoft and Sun!

As you mentioned, consumer privacy is disappearing online, especially with the kind of hyperactive marketing we do full-tilt in the U.S. Does the European viewpoint on data privacy for consumers seem to differ?

Laws are tighter in Europe but people use the same services. The real problem in my view is that you can target information to modify how they think. ... When you can control information for people -- it's an extremely powerful political tool.

That brings to mind that the Russia parliament just passed an Internet censorship bill. What do you think about that?

It's worrisome. Information that's gathered is highly valued for cyberwarfare because people can always get access codes and backdoors into people's home computers with malware, via e-mail or whatever. On the enterprise side, firewalls are becoming less and less protective because it's difficult to do firewalling when traffic is encrypted. Take the highly specific malware, such as when RSA was compromised. That was a customized email pretending to be something else. The more you know about targets, the more you can send them.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News