OpenSSH: the five-year trademark itch

Let the community decide

  • alert
  • submit to reddit

HP ProLiant Gen8: Integrated lifecycle automation

Tatu Ylönen, chairman and CTO of SSH Communications Security, sent a letter to the OpenSSH developers list today (Feb 14) demanding OpenSSH stop using the SSH part of its name.

"I developed SSH (Secure Shell)," he wrote, "started using the name for it, established a company using the name, all of our products are marketed using the SSH brand, and we have created a fairly widely known global brand using the name. Unauthorised use of the SSH mark by the OpenSSH group is threatening to destroy everything I have built on it during the last several years."

But Theo de Raadt, co-creator of OpenSSH, hopes the community, not the courts, will decide the trademark skirmish.
He points to a licensing agreement that allowed independent versions of SSH before Ylönen received a trademark in 1996, and he wonders why Ylönen has taken five years to decide to enforce the trademark.

"I don't think we have to get lawyers involved," de Raadt says. "We're just going to try to do this very, very behind the scenes, and basically let the community decide what they're going to do about it."

He adds: "There are two main clinchers going on here. One is the fact that this licence file predates the trademark, and it grants rights that cannot be removed. And the other is the history of non-enforcement... against anybody else in the entire field using this name, then suddenly enforcing us because we're getting big enough."

Ylönen sent us background information today, but didn't immediately respond to questions about why he wants to enforce the trademark now. He did email a letter he sent to ScanSSH, also requesting the protocol scanner stop using the SSH name. (The letter is at the bottom of this story. NewsForge will publish a followup article as soon as Ylönen responds.)

From the terms of Ylönen's 1995 copyright notice for ssh 1.2.12, on which OpenSSH is based: "As far as I am concerned, the code I have written for this software can be used freely for any purpose. Any derived versions of this software must be clearly marked as such, and if the derived work is incompatible with the protocol description in the RFC file, it must be called by a name other than 'ssh' or 'Secure Shell'."

OpenSSH was compatible with the protocol, and de Raadt argues that SSH, a secure Unix-based protocol often used by network administrators that allows access to a remote computer, has already become community property like http or ftp.

"If we give up on this entire thing, if we play his game, then his trademark, which he hasn't enforced since 1996, suddenly has a name attached to it," de Raadt said. "We want to push SSH as a generic term and leave it there, so that later on, he can't play games with people who make SSH (programs)."

A University of Alberta study found 17.4 per cent of all SSH users on the Internet to be using OpenSSH, with 80.3 per cent using SSH Communications Security products. Ylönen, in his letter to OpenSSH developers, argues that OpenSSH is based on an old, insecure version of his SSH, which is hurting users.

"The confusion is made even worse by the fact that OpenSSH is also a derivative of my original SSH Secure Shell product, and it still looks very much like my product (without my approval for any of it, by the way)," he wrote. "The old SSH1 protocol and implementation are known to have fundamental security problems, some of which have been described in recent CERT vulnerability notices and various conference papers. OpenSSH is doing a disservice to the whole Internet security community by lengthening the life cycle of the fundamentally broken SSH1 protocols."

But de Raadt says that versions of SSH1 are still the standard with about 90 percent of users, and there are compatibility problems between SSH1 and 2. "A release coming soon will prefer to do SSH- protocol over SSH1. Until then, we live in a realistic world, where not having SSH2 interoperability will lead to people using telnet. Better let them have SSH. And while we are firmly headed in the direction of making SSH2 the de facto protocol, we will continue to try to improve SSH1 since it will be a long time till it dies."

A name change would confuse users of both OpenSSH and SSH Communications Security's product, de Raadt said, and it would undo compatibility fixes pushed by OpenSSH co-creator Markus Friedl and approved by the IETF Secure Shell working group that is attempting to produce an open standard starting from the original SSH work done by Ylönen.

Ylönen's letter to ScanSSH (ScanSSH's Niels Provos says he hasn't seen it)

From: Tatu Ylönen
To: bugtraq@securityfocus.com
Subject: ScanSSH and infringement of SSH trademarks (open letter to Niels Provos)

Dear Mr. Provos,

As you and other OpenSSH core members well know and been expressly notified earlier, SSH is a registered trademark of SSH Communications Security Corp. We do not permit unauthorized use of the trademark in third party product names.

As you know, I have been using the trademark SSH as the brand name of my SSH (Secure Shell) secure remote login product ever since I released the first version in July 1995, and have consistently claimed it as trademark since at least early 1996.

In December 1995, I started SSH Communications Security Corp to support and further develop the SSH (Secure Shell) secure remote login products and to develop other network security solutions (especially in the IPSEC and PKI areas). SSH Communications Security Corp is now publicly listed in the Helsinki Exchange, employs 180 people working in various areas of cryptographic network security, and our products are distributed directly and indirectly by hundreds of licensed distributors and OEMs worldwide using the SSH brand name. There are several million users of products that we have licensed under the SSH brand.

We are also distributing non-commercial versions of our SSH Secure Shell product under the SSH brand name, free of charge, for any use on Linux, FreeBSD, OpenBSD, and NetBSD universities, as well as for use by universities, charity organizations and for personal recreational/hobby use by individuals.

The SSH mark is a significant asset of SSH Communications Security and the company strives to protect its valuable rights in the SSH(r) mark. SSH Communications Security has made a substantial investment in time and money in its SSH mark, such that end users have come to recognize that the mark represents SSH Communications Security as the source of the high quality products and technology offered under the mark. This resulting goodwill is of vital importance to SSH Communications Security Corp.

Your use of the SSH trademark in the name ScanSSH is unauthorized, as is the use of our SSH mark in the product name OpenSSH (about which you have been notified earlier). I therefore ask you to immediately cease this unlawful infringement of our trademark rights. I have previously asked you and other OpenSSH core people to change the name OpenSSH to something else that doesn't infringe our rights and cause confusion with our trademarks and brand name.

I now ask you to also change the name ScanSSH to something else. Since you have already been notified of the trademark and have been asked to cease the infringement of the SSH trademark, I can see no other possible reason for your choice of this name than to willfully damage our trademarks and brand name.

Yours sincerely,

Tatu Ylönen

Chairman and CTO, SSH Communications Security Corp.

Copyright © 2001 Newsforge.com. All rights reserved.

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Apple fanbois SCREAM as update BRICKS their Macbook Airs
Ragegasm spills over as firmware upgrade kills machines
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Captain Kirk sets phaser to SLAUGHTER after trying new Facebook app
William Shatner less-than-impressed by Zuck's celebrity-only app
Do YOU work at Microsoft? Um. Are you SURE about that?
Nokia and marketing types first to get the bullet, says report
Microsoft takes on Chromebook with low-cost Windows laptops
Redmond's chief salesman: We're taking 'hard' decisions
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
prev story


Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.