Date: Mon, 6 May 2002 16:22:46 -0700 (PDT) From: SolarfluX <solarflux@ziplip.com> To: security@freebsd.org Subject: Re: Telnet Exploit Message-ID: <GTP3YE3JSQGUYEIE2F0SOTH3D3KQNJKUJJYERK0S@ziplip.com>
next in thread | raw e-mail | index | archive | help
> > On Monday 06 May 2002 21:37, I wrote: > > Why in the world are you using telnetd anyhow? You should be using SSHD > > and never telnetd. Telnetd should be 'forbidden'... > Borja wrote: > Why? Do you think ssh is more secure? It may not be. Just think about the > complexity of ssh. It has been hit by a bug in zlib, for example. Or has zlib > had an audit as strict as ssh? > > Telnet has its problems, but we should not say that ssh is "more secure" > acritically. It is obvious that it has advantages, however. Are you for real? Have you ever sniffed a connection between two machines using ssldump? When looking at a telnet or ftp connection, it shows everything, clear as day. At least with ssh, you'd need the key or have to know how to exploit/crack it, which is MUCH harder to do than root a node somewhere along the path and sniff. It's not just your systems that you have to worry about, either, it's all those intermediate systems that your data traverses between endpoints (which you have no control over, of course) that one needs to worry about. They can be broken into and used as sniffing points. Alas, this info is not new. As long as OpenSSH exploits are fixed in a timely fashion, I consider sshd to be MUCH more secure than telnetd. The zlib bug argument is pretty weak. As far as 'backwards-compatibility' goes, if an older system can't be upgraded to allow encrypted connectivity, it needs to be replaced by one that can. The idea here is to promote security and secure alternatives, and not archaic non-secure protocols/methods. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?GTP3YE3JSQGUYEIE2F0SOTH3D3KQNJKUJJYERK0S>