On Dec 14, 1:21pm, Taylor R Campbell wrote: } > Date: Fri, 14 Dec 2018 09:46:08 +0100 } > From: Edgar Fuß <e...@math.uni-bonn.de> } > } > > Y'all seem to think it's totally reasonable to telnet in the open internet } > What's the problem with "telnet www.uni-bonn.de http"? } } If the telnet client is remotely exploitable then that exposes you to } exploitation by www.uni-bonn.de and by anyone on the internet between } you and www.uni-bonn.de. The attack surface is unmaintained network } code from the '80s. } } > Date: Fri, 14 Dec 2018 02:13:40 -0800 } > From: John Nemeth <jnem...@cue.bc.ca> } > } > This statement is total nonsense. It works just fine. And, } > it's not like there is a crap-ton of CVEs against it. In fact, } > there have been almost none, which is pretty impressive considering } > how old the code is. } } This reflects how little attention telnet has gotten, not how much } scrutiny it has withstood.
That is certainly one interpretation. But, I'm going to disagree. As kre noted, it is probably the oldest network application around. According to Wikipedia, the protocol was developed in 1969, predating TCP/IP, which means that it is probably the oldest TCP/IP application there is. It continued to be used long after SSH became common. In fact, the last major issue that comes to my mind, which was in telnetd, was found long after SSH became common. I'm quite sure that it has received a lot of scrutiny over the years. } If it is used only on a carefully isolated network for something like } a serial management console, that's not really worse than the security } of a lot of management console tooling, but it's not clear to me that } it needs to be in base any more than ipmitool or amtterm. We should I actually wouldn't mind seeing ipmitool in base. Of course, it would be better if our kernel driver was capable of doing more then just reading a handful of sensors, like actually being able to do things like configure the IPMI network settings. ipmitool is very useful for people running real servers. The biggest limitation is our sucky ipmi(4). } at least have warnings on it until someone takes up maintenance not to } use it on the open internet. This is like putting a warning on a gun that says, "don't point at self". This might be considered sensible in the highly litigious US, but for most of the world, this is a ridiculous notion. BTW, even if "someone takes up maintenance" it would still be an unencrypted protocol, so it still wouldn't be usable in a security sensitive setting. Furthermore, why make life more difficult for us crusty old people for no particularly good reason? I've been using telnet to manually do SMTP since the late 80s. Yes, I could learn nc, but I prefer to spend my time on more important tasks that then replacing things that work perfectly well. }-- End of excerpt from Taylor R Campbell