[Ma-linux] Two Sun Announcements
mstone at mathom.us
Tue Feb 13 15:06:40 EST 2007
On Tue, Feb 13, 2007 at 01:53:39PM -0500, Theodore Ruegsegger wrote:
>Mike pointed out:
>> You are aware that ssh has had more vulnerabilities than telnet in
>> the last few years, right?
>No, I wasn't, but it doesn't surprise me that a newer protocol, in
>active use, will have more folks banging on it.
More that it's a more complicated protocol and harder to get right. The
funny thing about this solaris bug is that it was fixed years ago and
reintroduced--that's just carelessness.
>Telnet is inherently insecure, so no one would be looking for the
>kinds of vulnerabilities they look for with ssh. Naturally, if the
>daemon gives you privileges beyond what your account (or, in the case
>of telnet, the account whose credentials you sniffed) should get,
>that's a whole 'nother problem, regardless what protocol you're using.
>But please satisfy my curiosity: why would you use telnet today? Why
>even enable it?
Why not? Sorry, this thread just touched a nerve--I've heard more than I
want over the last couple of days about how telnet is inherently
problematic and ssh is the answer. WHY? How can anyone make that kind of
statement without enumerating the risks in their environment, their
mitigations, etc.? What if I'm running ipsec? What does ssh get for me
over telnet in that environment? (Other than a more complicated protocol
with more inherent opportunities for coding errors and less ability to
monitor what's happening?) What if I'm on a trusted local network? What
if I'm worried about other things than network sniffing? See, the big
threat in today's world (not the world of 15 years ago) is sniffing *at
a compromised endpoint*. People by and large aren't sniffing wan links,
and switched networks have made it hard _enough_ that most people don't
bother trying to sniff lan links, either. But sniffing at a compromised
host? *That's* where the action is--and ssh doesn't buy you bupkis in
that scenario. This kneejerk "turn off telnet, use ssh" meme tends to
contribute to a shallow risk assessment that completely misses the
thrust of the major attack trends of the past few years.
Sorry, read too many shallow responses to the solaris bug in the past
More information about the Ma-linux