Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 15 Aug 2001 14:44:53 +0930
From:      Greg Lehey <grog@FreeBSD.org>
To:        Ted Mittelstaedt <tedm@toybox.placo.com>
Cc:        Ryan Thompson <ryan@sasknow.com>, William Nunn <yorkie123@hotmail.com>, freebsd-questions@FreeBSD.ORG
Subject:   Re: Remotely Exploitable telnetd bug
Message-ID:  <20010815144453.U49989@wantadilla.lemis.com>
In-Reply-To: <000201c12547$807d8520$1401a8c0@tedm.placo.com>; from tedm@toybox.placo.com on Tue, Aug 14, 2001 at 10:02:37PM -0700
References:  <20010814171150.S61413@wantadilla.lemis.com> <000201c12547$807d8520$1401a8c0@tedm.placo.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday, 14 August 2001 at 22:02:37 -0700, Ted Mittelstaedt wrote:
>
>> -----Original Message-----
>> From: owner-freebsd-questions@FreeBSD.ORG
>> [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Greg Lehey
>>
>> The best alternative is: don't use telnet.  Even with this fix, the
>> protocol is inherently insecure.
>
> At the risk of starting a flame war, it's not the Telnet protocol that's
> insecure, it's the entire TCP/IP protocol - if that is you define insecure as
> sending passwords in cleartext.

I don't understand this.  TCP and IP don't have the concept of a
password.

>  FTP, POP3 and many other commonly used TCP/IP protocols are
> inherently insecure using this definition.

Definitely.  In fact, POP is quite a problem because I don't know of
any well-known secure alternative.  But those are the individual
protocols, not TCP and IP.  ssh runs over TCP and IP as well, but it's
secure, at least by this definition.

> But, a SSH client is worthless if it's run on a system that is full
> of holes and has been compromised.

This applies to all security systems, of course.

> Simple solutions like "don't use Telnet" are nothing more than a
> start, they are not the answer.

Correct.

Greg
--
See complete headers for address and phone numbers

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010815144453.U49989>