How and Why More Secure Technologies Succeed in Legacy Markets

Lessons from the Success of SSH
  • Nicholas Rosasco
  • David Larochelle
Part of the Advances in Information Security book series (ADIS, volume 12)

Conclusion

SSH provided superior security while maintaining current functionality. SSH’s acceptance is demonstrated by the fact that installing SSH as an alternative to telnet is now widely considered to be a minimal security practice. The removal of telnet clients is now seen as a best practice [Fenzi, 2002], and this view has further increased the adoption of SSH.

Similar technologies such as secure file transfer protocols provide similar benefits but have not achieved nearly the same level of acceptance as SSH. We have performed an economic analysis to determine why telnet has been largely supplanted by SSH but FTP remains widely used. The consequences of a security breach exploiting clear text passwords is far reaching - the entire system is placed at risk. In many cases the risks posed by telnet and FTP were the same, but the perception of the costs to change obviously differs. An organization that provides shell accounts is likely to have an interest in the integrity of user data that extends beyond concerns for reputation and liability alone, and is also likely to be more willing to accept the difficulties and costs of the switch. How and more importantly why, does the market view one security solution as achievable, and yet ignore the other? We have attempted to find lessons to be learned about the tradeoffs that are made, and how the secure option can be made more attractive. We have shown that network externalities, usually a first order effect, were not a significant factor impeding the adoption of SSH, and that SSH offered equivalent functionality and greater ease of use. These factors were the primary consideration in the willingness to change. Additionally, we believe the openness of the standard, which facilitated the creation of numerous compatible implementations, was a key element in the economic decision made by system administrators.

Keywords

Information Security Network Externality Security Breach Unix System Legacy Market 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Daniel Barrett and Richard E. Silverman, SSH, the Secure Shell: The Definitive Guide, USA: O’Reilly & Associates, (2001).Google Scholar
  2. Daniel Barrett and Richard E. Silverman, SSH Frequently Asked Questions, (Oct. 2000), http://www.snailbook.com/faq/restricted-scp.auto.html
  3. Louis Bertrand, “How SSH was freed”, Daemon News (Dec. 1999), http://www.daemonnews.org/199912/openSSH.html
  4. cPanel, Inc., cPanel, http://www.cpanel.net
  5. Kevin Fenzi and Dave Wreski. “Linux Security HOWTO”, (June 2002), http://www.tldp.org/HOWTO/Security-HOWTO/index.html
  6. Brian Hatch, “Greasing the Squeaky Wheels”, IT World.com, (September 2002), http://www.itworld.com/nl/lnx_sec/09172002/
  7. Jupitermedia Corporation, List of Web Hosts, (2004), http://webhosts.thelist.com/
  8. Michael L. Katz and Carl Shapiro, “Systems Competition and Network Effects”, The Journal of Economic Perspectives, Vol 8, (Spring 1994).Google Scholar
  9. David Larochelle and Nicholas Rosasco, Towards a Model of the Costs of Security, (May 2003), http://www.cs.virginia.edu/larochelle/securitycosts
  10. Damien Miller, SSH tips, tricks, and protocol tutorial, (August 2002), http://www.mindrot.org/R~djm/auug2002/ssh-tutorial.pdf
  11. Jason Moore, personal communication, (February 2001).Google Scholar
  12. Carl Shapiro and Hal R. Varian, Information Rules: a Strategic Guide to the Network Economy, Harvard Business School Press, (1999).Google Scholar
  13. Clifford Stoll, The Cuckoo’s Egg: Tracking a Spy through the Maze of Computer Espionage, New York: Doubleday, (1989).Google Scholar
  14. WebHostingRank.com, Web Hosting directory list guide, http://www.webhostingrank.com/cgi-bin/search/basic.cgi statistics listed as of January 2004.
  15. Tatu Ylönen, Usenet posting of the SSH release announcement, (July 1995), message archived at http://groups.google.com/groups?hl=en&lr=&ie=UTF-Uselm=YLO.95Jull2234021%40shadows.cs.hut.fi

Copyright information

© Springer Science + Business Media, Inc. 2004

Authors and Affiliations

  • Nicholas Rosasco
    • 1
  • David Larochelle
    • 2
  1. 1.University of Maryland Baltimore CountyUSA
  2. 2.University of VirginiaUSA

Personalised recommendations