OpenSSH: the five-year trademark itch

Let the community decide

  • alert
  • submit to reddit

New hybrid storage solutions

Tatu Ylönen, chairman and CTO of SSH Communications Security, sent a letter to the OpenSSH developers list today (Feb 14) demanding OpenSSH stop using the SSH part of its name.

"I developed SSH (Secure Shell)," he wrote, "started using the name for it, established a company using the name, all of our products are marketed using the SSH brand, and we have created a fairly widely known global brand using the name. Unauthorised use of the SSH mark by the OpenSSH group is threatening to destroy everything I have built on it during the last several years."

But Theo de Raadt, co-creator of OpenSSH, hopes the community, not the courts, will decide the trademark skirmish.
He points to a licensing agreement that allowed independent versions of SSH before Ylönen received a trademark in 1996, and he wonders why Ylönen has taken five years to decide to enforce the trademark.

"I don't think we have to get lawyers involved," de Raadt says. "We're just going to try to do this very, very behind the scenes, and basically let the community decide what they're going to do about it."

He adds: "There are two main clinchers going on here. One is the fact that this licence file predates the trademark, and it grants rights that cannot be removed. And the other is the history of non-enforcement... against anybody else in the entire field using this name, then suddenly enforcing us because we're getting big enough."

Ylönen sent us background information today, but didn't immediately respond to questions about why he wants to enforce the trademark now. He did email a letter he sent to ScanSSH, also requesting the protocol scanner stop using the SSH name. (The letter is at the bottom of this story. NewsForge will publish a followup article as soon as Ylönen responds.)

From the terms of Ylönen's 1995 copyright notice for ssh 1.2.12, on which OpenSSH is based: "As far as I am concerned, the code I have written for this software can be used freely for any purpose. Any derived versions of this software must be clearly marked as such, and if the derived work is incompatible with the protocol description in the RFC file, it must be called by a name other than 'ssh' or 'Secure Shell'."

OpenSSH was compatible with the protocol, and de Raadt argues that SSH, a secure Unix-based protocol often used by network administrators that allows access to a remote computer, has already become community property like http or ftp.

"If we give up on this entire thing, if we play his game, then his trademark, which he hasn't enforced since 1996, suddenly has a name attached to it," de Raadt said. "We want to push SSH as a generic term and leave it there, so that later on, he can't play games with people who make SSH (programs)."

A University of Alberta study found 17.4 per cent of all SSH users on the Internet to be using OpenSSH, with 80.3 per cent using SSH Communications Security products. Ylönen, in his letter to OpenSSH developers, argues that OpenSSH is based on an old, insecure version of his SSH, which is hurting users.

"The confusion is made even worse by the fact that OpenSSH is also a derivative of my original SSH Secure Shell product, and it still looks very much like my product (without my approval for any of it, by the way)," he wrote. "The old SSH1 protocol and implementation are known to have fundamental security problems, some of which have been described in recent CERT vulnerability notices and various conference papers. OpenSSH is doing a disservice to the whole Internet security community by lengthening the life cycle of the fundamentally broken SSH1 protocols."

But de Raadt says that versions of SSH1 are still the standard with about 90 percent of users, and there are compatibility problems between SSH1 and 2. "A release coming soon will prefer to do SSH- protocol over SSH1. Until then, we live in a realistic world, where not having SSH2 interoperability will lead to people using telnet. Better let them have SSH. And while we are firmly headed in the direction of making SSH2 the de facto protocol, we will continue to try to improve SSH1 since it will be a long time till it dies."

A name change would confuse users of both OpenSSH and SSH Communications Security's product, de Raadt said, and it would undo compatibility fixes pushed by OpenSSH co-creator Markus Friedl and approved by the IETF Secure Shell working group that is attempting to produce an open standard starting from the original SSH work done by Ylönen.

Ylönen's letter to ScanSSH (ScanSSH's Niels Provos says he hasn't seen it)

From: Tatu Ylönen
To: bugtraq@securityfocus.com
Subject: ScanSSH and infringement of SSH trademarks (open letter to Niels Provos)

Dear Mr. Provos,

As you and other OpenSSH core members well know and been expressly notified earlier, SSH is a registered trademark of SSH Communications Security Corp. We do not permit unauthorized use of the trademark in third party product names.

As you know, I have been using the trademark SSH as the brand name of my SSH (Secure Shell) secure remote login product ever since I released the first version in July 1995, and have consistently claimed it as trademark since at least early 1996.

In December 1995, I started SSH Communications Security Corp to support and further develop the SSH (Secure Shell) secure remote login products and to develop other network security solutions (especially in the IPSEC and PKI areas). SSH Communications Security Corp is now publicly listed in the Helsinki Exchange, employs 180 people working in various areas of cryptographic network security, and our products are distributed directly and indirectly by hundreds of licensed distributors and OEMs worldwide using the SSH brand name. There are several million users of products that we have licensed under the SSH brand.

We are also distributing non-commercial versions of our SSH Secure Shell product under the SSH brand name, free of charge, for any use on Linux, FreeBSD, OpenBSD, and NetBSD universities, as well as for use by universities, charity organizations and for personal recreational/hobby use by individuals.

The SSH mark is a significant asset of SSH Communications Security and the company strives to protect its valuable rights in the SSH(r) mark. SSH Communications Security has made a substantial investment in time and money in its SSH mark, such that end users have come to recognize that the mark represents SSH Communications Security as the source of the high quality products and technology offered under the mark. This resulting goodwill is of vital importance to SSH Communications Security Corp.

Your use of the SSH trademark in the name ScanSSH is unauthorized, as is the use of our SSH mark in the product name OpenSSH (about which you have been notified earlier). I therefore ask you to immediately cease this unlawful infringement of our trademark rights. I have previously asked you and other OpenSSH core people to change the name OpenSSH to something else that doesn't infringe our rights and cause confusion with our trademarks and brand name.

I now ask you to also change the name ScanSSH to something else. Since you have already been notified of the trademark and have been asked to cease the infringement of the SSH trademark, I can see no other possible reason for your choice of this name than to willfully damage our trademarks and brand name.

Yours sincerely,

Tatu Ylönen

Chairman and CTO, SSH Communications Security Corp.

Copyright © 2001 Newsforge.com. All rights reserved.

Secure remote control for conventional and virtual desktops

More from The Register

next story
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
Not appy with your Chromebook? Well now it can run Android apps
Google offers beta of tricky OS-inside-OS tech
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
NHS grows a NoSQL backbone and rips out its Oracle Spine
Open source? In the government? Ha ha! What, wait ...?
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.