[NCLUG] webhosting question

Michael Dwyer mdwyer at sixthdimension.com
Thu Oct 17 09:30:32 MDT 2002 

Chris Riddoch wrote:
> Michael Dwyer <mdwyer at sixthdimension.com> writes:
> 
> 
>>quent wrote:
>>
>>>While I was being a little sarcastic, (sorry, I forgot to insert the
>>><sarcasm> tags) the current, sorry state of the infrastructure supporting
>>>decent security and authentication plays right into the hand of those
>>>guys. Although it's probably more about digital rights management than
>>>user safety.
>>
>>Yeah, but on the other hand, I'm somewhat of the mind that I should
>>toss SSH off my machines for a while and re-install telnet.  Telnet
>>has only had one security issue in the last couple of months.  But I
>>am /still/ not entirely convinced that SSH is safe...
> 
> 
> Your telnet *server* may be safe. Your passwords, while you're logging
> in to your machine using telnet, are quite unsafe. Anyone listening on
> the network (and it isn't hard to do that) will be able to see your
> username and password, and later be able to log in to your system as
> though they were you.
> 
> That's an important difference.  I could write a program that would
> listen on the telnet port and, given your username and password,
> authenticate you, run a command, and return the results to you..  Even
> if this program were perfectly written, (rather unlikely - secure
> programming is *hard*) anyone listening on the network would be able
> to see your username and password and do the exact same thing you
> could, having seen it.

Well, sure.  But first, you would have to somehow compromise the route 
between me and the server.   Where I am now, that doesn't concern me 
much.  However, when you're at DefCon, on the wireless network, you'd 
get your username and password stuck on the Wall Of Shame.  When you are 
using a cable modem, you should probably be worried.

Quent's point of using a one-time password is taken.  But even if your 
password system is secure, the transport still isn't.  They are still 
effectivly reading your E-mail over your shoulder.

I am fully aware of the limits of telnet (and ftp, and pop, and imap, 
and even assorted IM clients).  I just hoped to point out that 
'security' tools may just give you a false sense of security.  Right 
now, a telnet server on an odd port is more secure (= less likely to be 
attacked, causing a root compromise) than an SSH server installed by 
default with anything but the most recent distros.

But I digress...  I only use SSH to access my machines.  Actually, right 
now, SSH is turned off at home, because I haven't been able to find the 
time to patch them up...  Alas, there's the rub.

More information about the NCLUG mailing list