A warning word about telnet

Someone just asked (on a network operators list!) whether telnet had a vulnerability, because he knew of a switch that was on the Internet and accessible via telnet… This was my response.

telnet does not of itself encrypt anything. If you log in somewhere via telnet, everything that passes between you and the remote end is passing in clear text. That is true for all data sent to you or from you during the whole session, but especially for the username and password you may have used to log in with.

Unless you have secured the channel by some other means (an encrypted tunnel, for example) or you own and control and can vouch for every piece of the infrastructure between you and the remote end, using telnet is just about the most insecure thing you can do short of mailing stuff to yourself on postcards.

Someone who puts a real switch doing real work on the Internet with working telnet access is asking to have at least the switch compromised very quickly. A plaything, a honeypot, or a teaching tool – maybe. Anything else, probably a bad idea.

Remember that if I own your switch, I own all the data sent to or from any system connected to that switch…

Leave a Reply

Your email address will not be published. Required fields are marked *