OpenSSH: the five-year trademark itch

Let the community decide

Got Tips?

Tatu Ylönen, chairman and CTO of SSH Communications Security, sent a letter to the OpenSSH developers list today (Feb 14) demanding OpenSSH stop using the SSH part of its name.

"I developed SSH (Secure Shell)," he wrote, "started using the name for it, established a company using the name, all of our products are marketed using the SSH brand, and we have created a fairly widely known global brand using the name. Unauthorised use of the SSH mark by the OpenSSH group is threatening to destroy everything I have built on it during the last several years."

But Theo de Raadt, co-creator of OpenSSH, hopes the community, not the courts, will decide the trademark skirmish.
He points to a licensing agreement that allowed independent versions of SSH before Ylönen received a trademark in 1996, and he wonders why Ylönen has taken five years to decide to enforce the trademark.

"I don't think we have to get lawyers involved," de Raadt says. "We're just going to try to do this very, very behind the scenes, and basically let the community decide what they're going to do about it."

He adds: "There are two main clinchers going on here. One is the fact that this licence file predates the trademark, and it grants rights that cannot be removed. And the other is the history of non-enforcement... against anybody else in the entire field using this name, then suddenly enforcing us because we're getting big enough."

Ylönen sent us background information today, but didn't immediately respond to questions about why he wants to enforce the trademark now. He did email a letter he sent to ScanSSH, also requesting the protocol scanner stop using the SSH name. (The letter is at the bottom of this story. NewsForge will publish a followup article as soon as Ylönen responds.)

From the terms of Ylönen's 1995 copyright notice for ssh 1.2.12, on which OpenSSH is based: "As far as I am concerned, the code I have written for this software can be used freely for any purpose. Any derived versions of this software must be clearly marked as such, and if the derived work is incompatible with the protocol description in the RFC file, it must be called by a name other than 'ssh' or 'Secure Shell'."

OpenSSH was compatible with the protocol, and de Raadt argues that SSH, a secure Unix-based protocol often used by network administrators that allows access to a remote computer, has already become community property like http or ftp.

"If we give up on this entire thing, if we play his game, then his trademark, which he hasn't enforced since 1996, suddenly has a name attached to it," de Raadt said. "We want to push SSH as a generic term and leave it there, so that later on, he can't play games with people who make SSH (programs)."

A University of Alberta study found 17.4 per cent of all SSH users on the Internet to be using OpenSSH, with 80.3 per cent using SSH Communications Security products. Ylönen, in his letter to OpenSSH developers, argues that OpenSSH is based on an old, insecure version of his SSH, which is hurting users.

"The confusion is made even worse by the fact that OpenSSH is also a derivative of my original SSH Secure Shell product, and it still looks very much like my product (without my approval for any of it, by the way)," he wrote. "The old SSH1 protocol and implementation are known to have fundamental security problems, some of which have been described in recent CERT vulnerability notices and various conference papers. OpenSSH is doing a disservice to the whole Internet security community by lengthening the life cycle of the fundamentally broken SSH1 protocols."

But de Raadt says that versions of SSH1 are still the standard with about 90 percent of users, and there are compatibility problems between SSH1 and 2. "A release coming soon will prefer to do SSH- protocol over SSH1. Until then, we live in a realistic world, where not having SSH2 interoperability will lead to people using telnet. Better let them have SSH. And while we are firmly headed in the direction of making SSH2 the de facto protocol, we will continue to try to improve SSH1 since it will be a long time till it dies."

A name change would confuse users of both OpenSSH and SSH Communications Security's product, de Raadt said, and it would undo compatibility fixes pushed by OpenSSH co-creator Markus Friedl and approved by the IETF Secure Shell working group that is attempting to produce an open standard starting from the original SSH work done by Ylönen.

Ylönen's letter to ScanSSH (ScanSSH's Niels Provos says he hasn't seen it)

From: Tatu Ylönen
Subject: ScanSSH and infringement of SSH trademarks (open letter to Niels Provos)

Dear Mr. Provos,

As you and other OpenSSH core members well know and been expressly notified earlier, SSH is a registered trademark of SSH Communications Security Corp. We do not permit unauthorized use of the trademark in third party product names.

As you know, I have been using the trademark SSH as the brand name of my SSH (Secure Shell) secure remote login product ever since I released the first version in July 1995, and have consistently claimed it as trademark since at least early 1996.

In December 1995, I started SSH Communications Security Corp to support and further develop the SSH (Secure Shell) secure remote login products and to develop other network security solutions (especially in the IPSEC and PKI areas). SSH Communications Security Corp is now publicly listed in the Helsinki Exchange, employs 180 people working in various areas of cryptographic network security, and our products are distributed directly and indirectly by hundreds of licensed distributors and OEMs worldwide using the SSH brand name. There are several million users of products that we have licensed under the SSH brand.

We are also distributing non-commercial versions of our SSH Secure Shell product under the SSH brand name, free of charge, for any use on Linux, FreeBSD, OpenBSD, and NetBSD universities, as well as for use by universities, charity organizations and for personal recreational/hobby use by individuals.

The SSH mark is a significant asset of SSH Communications Security and the company strives to protect its valuable rights in the SSH(r) mark. SSH Communications Security has made a substantial investment in time and money in its SSH mark, such that end users have come to recognize that the mark represents SSH Communications Security as the source of the high quality products and technology offered under the mark. This resulting goodwill is of vital importance to SSH Communications Security Corp.

Your use of the SSH trademark in the name ScanSSH is unauthorized, as is the use of our SSH mark in the product name OpenSSH (about which you have been notified earlier). I therefore ask you to immediately cease this unlawful infringement of our trademark rights. I have previously asked you and other OpenSSH core people to change the name OpenSSH to something else that doesn't infringe our rights and cause confusion with our trademarks and brand name.

I now ask you to also change the name ScanSSH to something else. Since you have already been notified of the trademark and have been asked to cease the infringement of the SSH trademark, I can see no other possible reason for your choice of this name than to willfully damage our trademarks and brand name.

Yours sincerely,

Tatu Ylönen

Chairman and CTO, SSH Communications Security Corp.

Copyright © 2001 All rights reserved.

Sponsored: Webcast: Ransomware has gone nuclear


Biting the hand that feeds IT © 1998–2020