Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 14 Aug 2001 22:02:37 -0700
From:      "Ted Mittelstaedt" <tedm@toybox.placo.com>
To:        "Greg Lehey" <grog@FreeBSD.ORG>, "Ryan Thompson" <ryan@sasknow.com>
Cc:        "William Nunn" <yorkie123@hotmail.com>, <freebsd-questions@FreeBSD.ORG>
Subject:   RE: Remotely Exploitable telnetd bug
Message-ID:  <000201c12547$807d8520$1401a8c0@tedm.placo.com>
In-Reply-To: <20010814171150.S61413@wantadilla.lemis.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

>-----Original Message-----
>From: owner-freebsd-questions@FreeBSD.ORG
>[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Greg Lehey
>
>The best alternative is: don't use telnet.  Even with this fix, the
>protocol is inherently insecure.
>

At the risk of starting a flame war, it's not the Telnet protocol that's
insecure, it's the entire TCP/IP protocol - if that is you define insecure as
sending passwords in cleartext.  FTP, POP3 and many other commonly used TCP/IP
protocols are inherently insecure using this definition.

Also, there's the argument about whether the "security" if that is you mean
encryption, is secure, should be carried out by the hardware itself.  The
military uses this approach for example - the 'secure' military networks run
in separate conduits, and have physical security that the insecure networks
don't.

SSH is the quickly-slapped out alternative that people promote over Telnet as
being "secure".  But, a SSH client is worthless if it's run on a system that
is full of holes and has been compromised.  It's child's play for an attacker
with root access to replace the SSH client with one that's been modified to
save off usernames and passwords.

The TRULY best alternative is to throughly understand all of the security
issues and plug all the holes that are there.  Simple solutions like "don't
use Telnet" are nothing more than a start, they are not the answer.


Ted Mittelstaedt                                       tedm@toybox.placo.com
Author of:                           The FreeBSD Corporate Networker's Guide
Book website:                          http://www.freebsd-corp-net-guide.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000201c12547$807d8520$1401a8c0>