SSH3: The Future of Secure Remote Access?

Secure Shell (SSH) has been a tried and tested protocol for secure remote access for many years. However, a new proposal called SSH3 aims to revolutionize the way SSH works by combining it with modern technologies such as HTTP/3 and QUIC. But does SSH3 have what it takes to become the future of secure remote access? Let’s dive into some key insights from the comments and take a closer look.

Concerns and Criticisms

One user raised some valid concerns about the SSH3 proposal. They questioned the naming of SSH3 since it is not a direct successor to SSHv2, potentially causing confusion. The user also pointed out that SSHv2 already provides robust and time-tested mechanisms, undermining the need for SSH3’s proposed enhancements.

Another user criticized the idea of “hiding your server behind a secret link” as a security feature, noting that it could be seen as security through obscurity. However, another user argued that this approach is actually a form of capability security, where the server can only be accessed by knowing and naming it through a secret link.

Additionally, the incorporation of OpenID Connect (OIDC) into SSH was also questioned by one user. They highlighted potential security risks and complexity associated with integrating OIDC into the SSH protocol.

Session Establishment and Performance

One user pointed out that while the SSH3 proposal claims to have significantly faster session establishment with only three network round-trip times compared to SSHv2’s five to seven round-trip times, they personally did not find session establishment time a significant factor in their decision to adopt SSH3.

Benefits and Possibilities

Despite the criticisms, there were some interesting possibilities and potential advantages highlighted by users.

One user mentioned the use of SSH over HTTP/(url) as a killer feature, especially in environments where SSH is blocked or actively monitored. By leveraging HTTP/3, SSH3 could evade such restrictions and appear as regular website traffic.

Another user expressed the desire to easily set up a Content Delivery Network (CDN) like Cloudflare in front of an SSH server, without requiring any special client-side configurations. This would potentially bring the benefits of CDN caching, load balancing, and DDoS protection to SSH connections.

Revisiting the Use of HTTP and QUIC

The idea of utilizing HTTP and QUIC for SSH has mixed reviews. One user questioned the need for HTTP/3 in the SSH3 proposal, as it seemed to add overhead without clear advantages. Others raised concerns about potential vulnerabilities and attack vectors that exist in the broader HTTP ecosystem.

However, there were comments in favor of leveraging HTTP. One user mentioned the possibility of using HTTP/3 to make SSH traffic appear as uninteresting website traffic, potentially bypassing certain network restrictions or firewalls. Another user highlighted the benefits of using TLS PKI instead of setting up SSH Certificate Authorities (CAs), potentially simplifying the management of public key infrastructure.

Final Thoughts

While the proposal for SSH3 using HTTP/3 and QUIC brings some interesting ideas and possibilities, it also faces valid concerns and criticisms. The incorporation of OIDC and the overall naming and marketing strategy of SSH3 may need further consideration. Moreover, the benefits and performance improvements offered by SSH3 might not outweigh the complexities and potential risks associated with adding HTTP and QUIC to the SSH protocol.

As technology continues to evolve, it is essential to strike a balance between innovation and maintaining the robustness and security of existing protocols like SSH. SSH3 might offer some solutions to certain use cases or network restrictions, but it remains to be seen if it will become the future of secure remote access.

In the meantime, SSHv2 continues to be a trusted and widely adopted protocol for secure remote access. It provides robust mechanisms, supports extensibility, and has a proven track record in the field of cybersecurity.