reader comments
1
Sometime around the start of 1995, an unknown person planted a password sniffer on the network backbone of Finland’s Helsinki University of Technology (now known as Aalto University). Once in place, this piece of dedicated hardware surreptitiously inhaled thousands of user names and passwords before it was finally discovered. Some of the credentials belonged to employees of a company run by Tatu Ylönen, who was also a database researcher at the university.
The event proved to be seminal, not just for Ylönen’s company but for the entire world. Until that point, people like Ylönen connected to networks using tools which implemented protocols such as Telnet, rlogin, rcp, and rsh. All of these transmitted passwords (and all other data) as plaintext, providing an endless stream of valuable information to sniffers. Ylönen, who at the time knew little about implementing strong cryptography in code, set out to develop the Secure Shell Protocol (SSH) in early 1995, about three months after the discovery of the password sniffer.
As one of the first network tools to route traffic through an impregnable tunnel fortified with a still-esoteric feature known as “public key encryption,” SSH quickly caught on around the world. Besides its unprecedented security guarantees, SSH was easy to install on a wide array of operating systems, including the myriad ones that powered the devices administrators used—and the servers those devices connected to remotely. SSH also supported X11 forwarding, which allowed users to run graphical applications on a remote server.
Ylönen submitted SSH to the Internet Engineering Taskforce in 1996, and it quickly became an almost ubiquitous tool for remotely connecting computers. Today, it’s hard to overstate the importance of the protocol, which underpins the security of apps used inside millions of organizations, including cloud environments crucial to Google, Amazon, Facebook, and other large companies.
Binary Packet Protocol, which is designed to ensure that adversaries with an active position can’t add or drop messages exchanged during the handshake. Terrapin relies on prefix truncation, a class of attack that removes specific messages at the very beginning of a data stream.
