On Mon, Nov 24, 2014 at 11:38 AM, Leon Fauster <leonfauster at googlemail.com> wrote:> Am 24.11.2014 um 18:11 schrieb Frank Cox <theatre at melvilletheatre.com>: >> On Mon, 24 Nov 2014 08:46:33 -0600 >> John R. Dennison wrote: >> >>> Why are you wanting to use telnet in the first place? >> >> I don't know what his use case is, but I installed telnet on this computer a while back for the Android Remote Keyboard app. >> >> https://play.google.com/store/apps/details?id=de.onyxbits.remotekeyboard > > > best practice is to not use clear text protocols anymore.Umm, yeah. Encrypted protocols would never be compromised.... -- Les Mikesell lesmikesell at gmail.com
On Mon, Nov 24, 2014 at 12:04:30PM -0600, Les Mikesell wrote:> > Umm, yeah. Encrypted protocols would never be compromised....Which do you think is more likely? Someone sniffing a cleartext credential set on the wire or someone subverting an alleged "secure" encrypted protocol? Nothing is bullet-proof, we all know this, but you at least make an attempt not to run cleartext crap. John -- Those who know do not speak; those who speak do not know. -- Tao -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20141124/376c275f/attachment-0001.sig>
On Mon, Nov 24, 2014 at 12:12 PM, John R. Dennison <jrd at gerdesas.com> wrote:> On Mon, Nov 24, 2014 at 12:04:30PM -0600, Les Mikesell wrote: >> >> Umm, yeah. Encrypted protocols would never be compromised.... > > Which do you think is more likely? Someone sniffing a cleartext > credential set on the wire or someone subverting an alleged "secure" > encrypted protocol?For things that matter, you should expect both. For things that don't matter, well they don't matter. -- Les Mikesell lesmikesell at gmail.com
On 11/24/2014 10:04 AM, Les Mikesell wrote:> mm, yeah. Encrypted protocols would never be compromised....door locks can be picked, so I should never lock my doors? -- john r pierce 37N 122W somewhere on the middle of the left coast
On Nov 24, 2014, at 11:04 AM, Les Mikesell <lesmikesell at gmail.com> wrote:> On Mon, Nov 24, 2014 at 11:38 AM, Leon Fauster > <leonfauster at googlemail.com> wrote: >> >> best practice is to not use clear text protocols anymore. > > Umm, yeah. Encrypted protocols would never be compromised?.That?s absolutist thinking. There is no such thing as absolute security. There is, however, such a thing as illusory security. in.telnetd is a fine example of this. Study the OpenSSH list of fixed security problems: http://www.openssh.com/security.html I see only three that are attacks against the protocol itself, which is all that?s within the scope of argument here. Everything else is an attack on some other part of the system which would apply to other programs, regardless of encryption. (e.g., A buffer overflow is a buffer overflow whether encrypted or not.) Regardless, that list is pretty short for such a popular, security-focused 15-year-old program. Now compare telnet: always vulnerable, all the time, since the day it was created, before most of the people on this list were born: http://tools.ietf.org/html/rfc15
On Nov 24, 2014, at 3:46 PM, Warren Young <wyml at etr-usa.com> wrote:> Now compare telnet: always vulnerable, all the time, since the day it was created, before most of the people on this list were born:Technically, you can run kerberized (krb5) telnet/telnetd, and it's not quite as insecure as unkerberized telnet. The telnet protocol supports security measures, but most people just use OpenSSH (which can do a lot more) so there's little effort being made to widely use it. I doubt the OP was setting up krb5 telnetd, though. -- Jonathan Billings <billings at negate.org>