From owner-freebsd-security Mon May 6 16:23:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from ziplip.com (mail.ziplip.com [128.242.109.119]) by hub.freebsd.org (Postfix) with ESMTP id 7ED0637B404 for ; Mon, 6 May 2002 16:23:39 -0700 (PDT) Received: from 10.1.0.21 (EHLO 10.1.0.21 10.1.0.21 [10.1.0.21] (may be forged)) by 10.1.0.21 with ESMTP id for ; 06 May 2002 16:22:46 -0700 (PDT) Message-ID: Date: Mon, 6 May 2002 16:22:46 -0700 (PDT) From: SolarfluX Reply-To: solarflux@ziplip.com To: security@freebsd.org Subject: Re: Telnet Exploit Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ZLPwdHint: X-ZLExpiry: -1 X-ZLReceiptConfirm: N X-ZLAuthType: WEB-MAIL X-ZLAuthOn: Y X-Mailer: ZipLip Sonoma v3.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > On Monday 06 May 2002 21:37, I wrote: > > Why in the world are you using telnetd anyhow? You should be using SSHD > > and never telnetd. Telnetd should be 'forbidden'... > Borja wrote: > Why? Do you think ssh is more secure? It may not be. Just think about the > complexity of ssh. It has been hit by a bug in zlib, for example. Or has zlib > had an audit as strict as ssh? > > Telnet has its problems, but we should not say that ssh is "more secure" > acritically. It is obvious that it has advantages, however. Are you for real? Have you ever sniffed a connection between two machines using ssldump? When looking at a telnet or ftp connection, it shows everything, clear as day. At least with ssh, you'd need the key or have to know how to exploit/crack it, which is MUCH harder to do than root a node somewhere along the path and sniff. It's not just your systems that you have to worry about, either, it's all those intermediate systems that your data traverses between endpoints (which you have no control over, of course) that one needs to worry about. They can be broken into and used as sniffing points. Alas, this info is not new. As long as OpenSSH exploits are fixed in a timely fashion, I consider sshd to be MUCH more secure than telnetd. The zlib bug argument is pretty weak. As far as 'backwards-compatibility' goes, if an older system can't be upgraded to allow encrypted connectivity, it needs to be replaced by one that can. The idea here is to promote security and secure alternatives, and not archaic non-secure protocols/methods. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message