Tatu Ylonen, the fellow who gave the world SSH encryption, says that IT security is shot to hell.
Ylonen invented SSH encryption as an open protocol in the 1990s. This was controversial at the time because the US was trying to force vendors to install a key-escrow system in every product so it could snuffle encrypted data with some ease.
Talking to Network World, Ylonen said that things were getting worse and consumer privacy is disappearing totally.
He said that SSL is being blamed but the problem isn’t the protocol itself but the key infrastructure. This was highlighted by people stealing from the certificate authorities.
He said that SSL was less useful than ever because it is too easy for someone to break the encryption itself by creating fake certificates.
Ylonen said that any major government can do it, as well as criminal organisations with enough cash behind them. The Flame virus was based on this attack vector.
He said that at the moment the only thing he can think of to replace the SSL is SSH, at least for automation. He proposed such an extension to replace SSL 15 years ago but was basically railroaded at the IETF by Microsoft and Sun.
He was particularly concerned about the way that the large banks use SSH. While some of them have eight authentication keys for access to the network others have not changed theirs for 10 years, he said.
Ylonen said that it was a “ticking time bomb” and some banks do not know who can access the systems. He knew of a large bank where 200 systems administrators were setting up keys for 200,000 systems. Theoretically, someone could copy all the keys in a USB stick and provide access even after you’ve left the organisation.
It seems that the banks have not twigged that the authorisation keys grant you the same access as a password.
He has been piloting Universal SSH Key Manager, with a customer, for machine-to-machine communications. It should be available in Spring.
Ylonen thinks that it will solve the problems of knowing what you have, the trusted relationship with computers, and automating the management of the keys.