We have all these so called secure messaging apps, some are OSS, some are not, it's kinda a mess.<p>I can open an ssh connection to a remote server, a friend can do the same, and we can use wall or tail files or whatever, essentially, we can chat, insecurely on a box that we have a secure connection to.<p>I am sure it would not be hard to make the ssh libraries the core of an app that chats, talks, walks, runs, or does whatever, securely.<p>Why aren't we just doing thing instead of reinventing all these secure transports?
Classic "Worse is better"<p>I shall let Rob Pike explain :<p>When I was on Plan 9, everything was connected and uniform. Now everything isn't connected, just connected to the cloud, which isn't the same thing. And uniform? Far from it, except in mediocrity. This is 2012 and we're still stitching together little microcomputers with HTTPS and ssh and calling it revolutionary. I sorely miss the unified system view of the world we had at Bell Labs, and the way things are going that seems unlikely to come back any time soon.<p><a href="http://rob.pike.usesthis.com/" rel="nofollow">http://rob.pike.usesthis.com/</a>
SSH or SSL doesn't get you e.g. end-to-end security; the model you propose is equivalent to chatting via a server over HTTPS, which is indeed very common. (In general, OpenSSH is great but the SSH protocol itself isn't all that special.)<p>Something like TextSecure improves on the security of SSH/SSL for its specific use case: end-to-end security, message-level forward-security even if the receiver is offline at the moment, deniable messages (instead of allowing the receiver to prove you sent them), etc.<p>Many other applications use SSL as a transport and try to add some X-factor (integration with Facebook/GMail/$GAME/...); these applications would still get made if the underlying transport changed to SSH.
<i></i>tl;dr: security is the issue, users can't be trusted<i></i><p>SSH is a 'general purpose' protocol for remote filesystem access. Clients with lax permissions are an attack risk. Non-technical users can't be depended upon to handle permissions. As such, SSH is commonly blocked at the firewall to prevent such malicious access.<p>HTTPS is rarely blocked. HTTPS is inherently safe because it doesn't grant access to anything that isn't explicitly defined the HTTP-layer API. HTTPS connections are usually handled via browsers that come with sandboxed memory spaces; even if a malicious actor manages to establish remote code execution in the client there's little/no risk of compromising the user's OS via a buffer overflow or equivalent attack vector.
It takes a long time and many round trips to establish an SSH connection. You can keep a shared connection open as a workaround. But mobile devices (laptops included) don't persist connections, because batteries.<p>Maybe you could do it on top of mosh? <a href="https://mosh.mit.edu/" rel="nofollow">https://mosh.mit.edu/</a>