From owner-freebsd-questions  Tue Aug 14 22:14:58 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from wantadilla.lemis.com (wantadilla.lemis.com [192.109.197.80])
	by hub.freebsd.org (Postfix) with ESMTP id CE3A337B406
	for <freebsd-questions@FreeBSD.ORG>; Tue, 14 Aug 2001 22:14:54 -0700 (PDT)
	(envelope-from grog@lemis.com)
Received: by wantadilla.lemis.com (Postfix, from userid 1004)
	id 3AACF6ACC1; Wed, 15 Aug 2001 14:44:53 +0930 (CST)
Date: Wed, 15 Aug 2001 14:44:53 +0930
From: Greg Lehey <grog@FreeBSD.org>
To: Ted Mittelstaedt <tedm@toybox.placo.com>
Cc: Ryan Thompson <ryan@sasknow.com>,
	William Nunn <yorkie123@hotmail.com>, freebsd-questions@FreeBSD.ORG
Subject: Re: Remotely Exploitable telnetd bug
Message-ID: <20010815144453.U49989@wantadilla.lemis.com>
References: <20010814171150.S61413@wantadilla.lemis.com> <000201c12547$807d8520$1401a8c0@tedm.placo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <000201c12547$807d8520$1401a8c0@tedm.placo.com>; from tedm@toybox.placo.com on Tue, Aug 14, 2001 at 10:02:37PM -0700
Organization: The FreeBSD Project
Phone: +61-8-8388-8286
Fax: +61-8-8388-8725
Mobile: +61-418-838-708
WWW-Home-Page: http://www.FreeBSD.org/
X-PGP-Fingerprint: 6B 7B C3 8C 61 CD 54 AF  13 24 52 F8 6D A4 95 EF
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Tuesday, 14 August 2001 at 22:02:37 -0700, Ted Mittelstaedt wrote:
>
>> -----Original Message-----
>> From: owner-freebsd-questions@FreeBSD.ORG
>> [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Greg Lehey
>>
>> The best alternative is: don't use telnet.  Even with this fix, the
>> protocol is inherently insecure.
>
> At the risk of starting a flame war, it's not the Telnet protocol that's
> insecure, it's the entire TCP/IP protocol - if that is you define insecure as
> sending passwords in cleartext.

I don't understand this.  TCP and IP don't have the concept of a
password.

>  FTP, POP3 and many other commonly used TCP/IP protocols are
> inherently insecure using this definition.

Definitely.  In fact, POP is quite a problem because I don't know of
any well-known secure alternative.  But those are the individual
protocols, not TCP and IP.  ssh runs over TCP and IP as well, but it's
secure, at least by this definition.

> But, a SSH client is worthless if it's run on a system that is full
> of holes and has been compromised.

This applies to all security systems, of course.

> Simple solutions like "don't use Telnet" are nothing more than a
> start, they are not the answer.

Correct.

Greg
--
See complete headers for address and phone numbers

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message