Open source's quiet revenge

All the lawyers in Finland won't fix the predicament of Secure Shell vendor SSH Communications Security.

Last week, I said I'd be discussing the business models used by Linux distributors and vendors of other open source software. While it's still my intention to do so, I just couldn't neglect a fascinating tale that unfolded this week surrounding the Secure Shell (SSH) Internet protocol and its related software.

While the search for truly workable open source business models remains a challenge, the SSH experience offers a textbook case of a business practice that, from what I can see, is doomed to fail. SSH is a sort of secure Telnet-type connection running over an encrypted channel and featuring full public-key-based authentication. The first release was developed under an open license and attracted a worldwide community of developers. SSH head developer Tatu Ylonen submitted the underlying protocol as an Internet standard.

Version one of SSH became quite a community project. Because of U.S. government restrictions, it wasn't adopted as quickly as proponents would have liked. But for many security-conscious folk, SSH became the replacement for Telnet and FTP.

And then, midway through the development of release 1.2.12 in 1995, Ylonen quietly changed the license to a more restrictive one that prohibited commercial distribution and asserted a trademark on the name "ssh." He then incorporated a company, SSH Communications Security, to sell the software to commercial users. The company would later make a second version of the commercial SSH software that was incompatible with the old open one.

The Finland-based company is now in a war of words and lawyers' letters with developers of an increasingly popular open source implementation known as OpenSSH. The OpenSSH developers, many of whom worked on the original SSH community project, viewed the license restrictions as a betrayal. It was one thing for Ylonen to try to make a buck off his work, but the new licensing prohibited any of the other developers from doing so.

The developers responded in the only way they knew how. They took the last version of SSH that was completely open source and created a new project to maintain and extend a free version of it. That project became OpenSSH and was shepherded by the OpenBSD group, which already had a reputation for being obsessed with secure free software.

Within the last year, a number of events have converged to turn the rivalry into a full-blown competition. Most importantly, OpenSSH finally became good enough to use as a drop-in replacement for the proprietary stuff. Meanwhile, SSH Communications Security raised $14 million in capital, a move that gave the company lots of cash in return for a new leadership with less tolerance for the free alternative. Add the U.S. government's relaxing of its restrictions on cryptography, and you had a volatile situation just waiting for a head-on confrontation.

That confrontation started last week when SSH Communications spent some of that $14 million on lawyers. The goal? Force OpenSSH to change its name. The weapon? A U.S. trademark on the lower-case letters ssh. The chance of success? Slim to none, according to OpenBSD leader Theo de Raadt, who also says there's no reason or desire within the OpenSSH community to change the name.

There are many arguments being given throughout the community for the futility of any legal action. Here is a sample:

  • OpenBSD and OpenSSH are based in Canada, which doesn't necessarily recognize the SSH trademark.
  • Ylonen promoted the SSH name as a standard in the early days and didn't put restrictions on use. He later promoted the supposed trademark as the name of an Internet-standard protocol.
  • The trademark is only on a specific graphic of the letters SSH in lower case in a specific font. The term SSH itself isn't trademarked.
  • As they produce software that's freely downloadable, the OpenSSH developers are arguably not engaged in commercial gain. According to one interpretation of the U.S. trademark law , this prevents any trademark-related action against OpenSSH.
  • Who do you sue? The individual developers scattered around the world? OpenSSH maintains no formal organized structure. And if the company won, how much in damages could be extracted from these volunteers?
In honesty, few of the people offering such opinions are lawyers. But de Raadt says he's consulted enough legal professionals to assure him that any real action on the matter would get the Finns nowhere. He says the OpenSSH project has no intention of changing its name or even reacting to the threat. And as if to rub salt in the wound, the OpenSSH folk this week announced a new release of their software. Version 2.5.1 fixes some compatibility problems with the commercial SSH, furthering OpenSSH's push to outdo the proprietary version at its own game.

Maybe SSH Communications Security will continue to be profitable despite the existence of a freely available (and now completely compatible) version. The company seems faced with two options: It can pursue a costly legal attack with no guarantee of winning, and reap only negligible returns if it does win. Or it can back away, leaving OpenSSH an opportunity to call its bluff, thus drawing even more attention to the free software upstarts.

Somehow I think things would have been less messy had Ylonen not changed the SSH license in mid-stream. This is not a business practice worth emulating.

What do you think of the SSH-OpenSSH skirmish? Let me know in the TalkBack below.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All