SSH3: Faster and rich secure shell using HTTP/3

105•tempaccount420•2h ago

Comments

Zambyte•1h ago

I was skeptical of the claim that it's faster than traditional SSH, but the README specifies that it is faster at establishing a connection, and that active connections are the same speed. That makes a lot of sense and seems like a reasonable claim to make.

wolrah•1h ago

It also tracks with HTTP/3 and QUIC as a whole, as one of the main "selling points" has always been reduced round trips leading to faster connection setup.

notepad0x90•1h ago

Although, dollars-to-donuts my bet is that this tool/protocol is much faster than SSH over high-latency links, simply by virtue of using UDP. Not waiting for ack's before sending more data might be a significant boost for things like scp'ing large files from part of the world to the another.

xorcist•58m ago

Of course it has ACKs. There are protocols without ACKs but they are exotic and HTTP3 is not one of them.

IshKebab•56m ago

He said not waiting for ACKs.

xorcist•51m ago

That makes even less sense, unless we are talking about XMODEM every protocol uses windowing to avoid getting stuck waiting for ACKs.

Of course you need to wait for ACKs at some point though, otherwise they would be useless. That's how we detect, and potentially recover from, broken links. They are a feature. And HTTP3 has that feature.

Is it better implemented than the various TCP algorithms we use underneath regular SSH? Perhaps. That remains to be seen. The use case of SSH (long lived connections with shorter lived channels) is vastly different from the short lived bursts of many connections that QUIC was intented for. My best guess is that it could go both ways, depending on the actual implementation. The devil is in the details, and there are many details here.

Should you find yourself limited by the default buffering of SSH (10+Gbit intercontinental links), that's called "long fat links" in network lingo, and is not what TCP was built for. Look at pages like this Linux Tuning for High Latency networks: https://fasterdata.es.net/host-tuning/linux/

There is also the HPN-SSH project which increases the buffers of SSH even more than what is standard. It is seldom needed anymore since both Linux and OpenSSH has improved, but can still be useful.

IOT_Apprentice•42m ago

Well, you could peruse the code. Then see what it does and explain it.

finaard•47m ago

Not really that relevant - anybody regularly using SSH over high latency links is using SSH+mosh already anyway.

oefrha•22m ago

The huge downside of mosh is it handles its own rendering and destroys the scrollback buffer. (Yes I know I can add tmux for a middle ground.)

But it's still irrelevant here; specifically called out in README:

> The keystroke latency in a running session is unchanged.

nh2•30m ago

SSH has low throughput on high latency links, but not because it uses TCP. It is because SSH hardcodes a too-small maximum window size in its protocol, in addition to the one of TCP.

This SSH window size limit is per ssh "stream", so it could be overcome by many parallel streams, but most programs do not make use of that (scp, rsync, piping data through the ssh command), so they are much slower than plain TCP as measured eg by iperf3.

I think it's silly that this exists. They should just let TCP handle this.

fanf2•18m ago

Yeah, the longstanding hpn-ssh fork started off by adjusting ssh’s window sizes for long fat pipes.

https://github.com/rapier1/hpn-ssh

Operyl•11m ago

Off the top of your head do you know of any file transfer tools that do utilize multiple streams?

bravetraveler•8m ago

I tend to use 'rclone', does SSH/more. The '--transfers' arg is useful

... in a sense; several files, lol.

fanf2•23m ago

Yeah, there’s a replacement for scp that uses ssh for setup and QUIC for bulk data transfer, which is much faster over high-latency paths.

https://github.com/crazyscot/qcp

bcrl•13m ago

That's why mosh exists, as it is purpose built for terminals over high latency / high packet loss links.

s-macke•42m ago

It is not faster in this sense. However, an SSH connection can have multiple substreams, especially for port forwarding. Over a single classical connection, this can lead to head-of-line blocking, where an issue in one stream slows everything down. QUIC/HTTP3 protocol can solve this.

ahlCVA•1h ago

Previously: https://news.ycombinator.com/item?id=38664729

temp0826•1h ago

I don't know why it makes me a little sad that every application layer protocol is being absorbed into http.

chrisfosterelli•1h ago

It feels a little like a kludge as long as we keep calling it http. The premise makes sense -- best practices for connection initialization have become very complex and a lot of protocols need the same building blocks, so its beneficial to piggyback on the approach taken by one of the most battle tested protocols -- but it's not really hypertext we're using it to transfer anymore so it feels funny.

xg15•1h ago

Yeah, building it on top of QUIC is reasonable, but trying to shoehorn SSH into HTTP semantics feels silly.

conradludgate•34m ago

It's on top of HTTP CONNECT, which is intended for converting an existing request (QUIC stream) into a transparent byte stream. This removes the need to deal with request/response semantics.

The reasons states to use http3 and not QUIC directly makes sense with littlest downside - you can run it behind any standard http3 reverse proxy, under some subdomain or path of your choosing, without standing out to port scanners. While security through obscurity is not security, there's no doubt that it reduces the CPU overhead that many scanners might incur if they discover your SSH server and try a bunch of login attempts.

Running over HTTP3 has an additional benefit. It becomes harder to block. If your ssh traffic just looks like you're on some website with lots of network traffic, eg google meet, then it becomes a lot harder to block it without blocking all web traffic over http3. Even if you do that, you could likely still get a working but suboptimal emulation over http1 CONNECT

xg15•58m ago

If this were really the case, it would indeed be sad, as the standard HTTP request/response model is both too restrictive and too overengineered for many usecases.

But both HTTP/2 and QUIC (the "transport layer" of HTTP/3) are so general-purpose that I'm not sure the HTTP part really has a lot of meaning anymore. At least QUIC is relatively openly promoted as an alternative to TCP, with HTTP its primary usecase.

singpolyma3•21m ago

Indeed. "Using quic with a handshake that smells like http3" is hardly "using http" imo

fulafel•53m ago

Is there some indication that this is something that is going to be adopted? The linked ietf submission is an expired individual draft (which anyone can send in) and not from the ssh spec working group, sounds like this is from some reserachers that used SSH3 as an optimistic name.

MrDarcy•42m ago

It’s a necessary evil resulting from misguided corporate security teams blocking and intercepting everything else.

Looking at you, teams who run Zscaler with tls man in the middle attack mode enabled.

zenmac•40m ago

Yeah we got those good old network ppl or their corporate (don't knows much about tech) overlord to thank for that.

If you ever using wifi in the airport or even some hotel with work suite unit around the world, you will notice that Apple Mail can't send or receive emails. It is probably some company wide policy to first block port 25 (that is even the case with some hosting providers) all in the name of fighting SPAM. Pretty soon, 143, 547, 993, 995.... are all blocked. Guess 80 and 443 are the only ones that can go through any firewalls now days. It is a shame really. Hopefully v6 will do better.

So there you go. And know EU wants to do ChatControl!!!! Please stop this none-sense, listen to the people who actually knows tech.

Telemakhos•27m ago

Port 25 is insecure and unencrypted; EU doesn't even need ChatControl to hoover up that data, and you'd better believe anything going through an airport wifi router unencrypted is being hoovered by someone no matter what jurisdiction you're in. Apple mail prefers 587 for secure SMTP and 993 for secure IMAP.

People were (wisely) blocking port 25 twenty years ago.

AshamedCaptain•1h ago

Sure, someone paranoid about his SSH server being continuously proved by bots is going to excitedly jump to a new HTTP-SSH server that is going to be continuously proved by even more bots for HTTP exploits (easily an order of magnitude more traffic) AND whatever new fangled "HTTP-SSH" exploits appear.

she46BiOmUerPVj•1h ago

So with HTTP requests you can see the domain name in the header and forward it to the correct host. That was never a thing you could do with SSH, does this allow that to work?

billfor•1h ago

You can forward any ssh traffic based on the domain name with SNI redirection. You can also use that with, lets say the nginx stream module, to run ssh and http server on the same port.

finaard•39m ago

But that wasn't really a thing that was an issue with SSH.

Host *.internal.example.com

  ProxyCommand ssh -q -W %h:%p hop.internal.example.com

in the SSH client config would make everything in that domain hop over that hop server. It's one extra connection - but with everything correctly configured that should be barely noticeable. Auth is also proxied through.

doubled112•26m ago

If you don't need to do anything complicated, ProxyJump is easier to remember.

    Host *.internal.example.com
      ProxyJump hop.internal.example.com

chupasaurus•15m ago

ProxyJump was implemented a decade ago to replace that specific string.

unsnap_biceps•24m ago

Newer versions of ssh support ProxyJump

  ssh -J hop.internal.example.com foo.internal.example.com

miduil•1h ago

I wonder what the current plans are with the project, it's been over a year since the last release - yet alone commits or other activity on GitHub. As they've started working on the project with a paper - I guess they'll might be continuously working on other associated aspects?

psanford•51m ago

I do hate the name ssh3. I was glad to see this at the top of the repo:

> SSH3 is probably going to change its name. It is still the SSH Connection Protocol (RFC4254) running on top of HTTP/3 Extended connect, but the required changes are heavy and too distant from the philosophy of popular SSH implementations to be considered for integration. The specification draft has already been renamed ("Remote Terminals over HTTP/3"), but we need some time to come up with a nice permanent name.

zdw•43m ago

Same - this feels equivalent of some rando making a repo called "Windows 12" or "Linux 7".

bravetraveler•21m ago

LDAP2 or nextVFS... but point awarded. Feels that way because it is. Though my example kind of sucks. These things just are; not really versioned. I don't know if they'd call for ++

A better 'working name' would be something like sshttp3, lol. Obviously not the successor to SSH2

Velocifyer•10m ago

Does this still support standard SSH encryption and authentication (on both client and server)?

From JIT to Native: Path to Efficient Java Containers

For the First Time, Scientists Keep a Mammalian Cochlea Alive Outside the Body

What if local control can help build housing?

Settlement of Anthropic lawsuit gets tentative approval

Berry-Hausman-Pakes Should Win the Nobel Prize

Merge JPG to JPG

Ask HN: Library that maps clock times to human terms ("early morning", etc.)?

Making Capitalism Bad Again

Commit Your Code 2025 Conference Recap

Role of Capoeira in Improving Motor and Social Skills in Children with Autism

OpenAI's historic week has redefined the AI arms race for investors

2025–2030 blueprint: surveillance, health OS, programmable finance

Why Chinese Is So Damn Hard (1991)

Checkboxes that kill your product (2013)

Why Humanoid Robots Are Silicon Valley's Most Dangerous Bet

How Badly Is AI Cutting Early-Career Employment?

Cloudflare Workers would just run on whatever machine the HTTP request landed on

Australia asks GitHub if it's a dangerous social network

Auto Aiming Trash Can [video]

Show HN: Sophina – AI that turns meeting notes and requirements into dev tickets

MycoToilet: Demonstration of a Mycelium-Based Composting Toilet

LIVE 2025: live talks about live programming [video]

Hollow Knight: Silksong Achievement Hints at a Much Bigger Game

Postgres is reliable – I'll persist in EloqKV

Tesla Is Urging Drowsy Drivers to Use 'Full Self-Driving'. That Could Go Wrong

WebRTC vs. WebSockets

Show HN: I built an AI Colosseum to battle-test different agent architectures

Greenland Is a Beautiful Nightmare

Trump Orders US Troops to Portland, Authorizes 'Full Force'

AI coding agents rely too much on fallbacks