[NCLUG] webhosting question

[Chris Riddoch]

Michael Dwyer <mdwyer at sixthdimension.com> writes:

> quent wrote:
> > While I was being a little sarcastic, (sorry, I forgot to insert the
> > <sarcasm> tags) the current, sorry state of the infrastructure supporting
> > decent security and authentication plays right into the hand of those
> > guys. Although it's probably more about digital rights management than
> > user safety.
> 
> Yeah, but on the other hand, I'm somewhat of the mind that I should
> toss SSH off my machines for a while and re-install telnet.  Telnet
> has only had one security issue in the last couple of months.  But I
> am /still/ not entirely convinced that SSH is safe...

Your telnet *server* may be safe. Your passwords, while you're logging
in to your machine using telnet, are quite unsafe. Anyone listening on
the network (and it isn't hard to do that) will be able to see your
username and password, and later be able to log in to your system as
though they were you.

That's an important difference.  I could write a program that would
listen on the telnet port and, given your username and password,
authenticate you, run a command, and return the results to you..  Even
if this program were perfectly written, (rather unlikely - secure
programming is *hard*) anyone listening on the network would be able
to see your username and password and do the exact same thing you
could, having seen it.

As for SSH, a flaw may occasionally be discovered. That's why you keep
your system up to date on patches, promptly, after the discovery.
There are too many Linux boxes out there where the maintainer isn't
really maintaining the system, and the vast majority of viruses and
worms act against flaws that have been discovered *and* fixed.

The bottom line is that you're safer with SSH than telnet.

-- 
Chris Riddoch       | epistemological
socket at peakpeak.com | humility