[OpenISO] TELNET

Tonnerre LOMBARD tonnerre at ffii.org
Sat Sep 8 18:06:48 CEST 2007 

Good morning, gentlemen,

I would like to comment on the comments submitted here.

On Sat, Sep 08, 2007 at 04:28:07PM +0100, Std Lib0 wrote:
> OI STD-E???:2007 TELNET
> ====================
> 
> INTRODUCTION:
> ------------------------
> This is the OpenISO evaluation of the RFC 854.
> 
> > The purpose of the TELNET Protocol is to provide a fairly general,
> > bi-directional, eight-bit byte oriented communications facility. Its
> > primary goal is to allow a standard method of interfacing terminal
> > devices and terminal-oriented processes to each other. It is
> > envisioned that the protocol may also be used for terminal-terminal
> > communication ("linking") and process-process communication
> > (distributed computation).

Fine, let's keep this in mind.

> PROBLEMS:
> -------------------
> 
> ### Comment 1: ###
> No use of UNICODE or other international character set approved by
> OpenISO.

In fact, as you even copied above, it does not use _any_ character set
at all. telnet is a n 8-bit byte oriented message exchange facility, and
as such leaves it up to the applications running on top of it to define
the character set. (e.g. the login program/sequence on UNIX systems.)

> ### Comment 2: ###
> There is no message integrity verification, so commands can be inserted
> and removed

The message integrity verification is left to the communication layer
telnet is running on, in this case TCP. This is important to notice,
because the protocol IPv6 supports an additional IP Security feature
which will actually take care of this. So the problem was rather in

1. the understanding of security at that point in time (1983), causing
2. the relative insecurity of the IP and TCP transmission layer.

If you consult your OSI layer map, you will realize quickly that data
coherency and protection is actually a layer 4 feature, while telnet is
situated on upper layers.

> ### Comment 3: ###
> There is no message secrecy, so commands and parameters can be seen

See above.

> ### Comment 4: ###
> The authentication password is transmitted in plaintext

See above. Also, authentication is not a method of the telnet protocol.
You can authenticate securely over telnet using the Kerberos
authentication facility.

> ### Comment 5: ###
> There is an alternative standard called SSH without the problems in
> comments 1-4.

But one might argue that SSH actually does these things on the wrong
layer. It is possible to have a perfectly secure telnet session over the
new IPv6 protocol suite.

> ### Comment 6: ###
> The plaintext protocol is so raw that it can be used to manually debug and
> interact with other simple plaintext protocols such as HTTP, by sending
> plaintext queries and visualizing the responses.

That's kindof «standard abuse» ;-)

> - No Patents: See Comment #.

Actually, if you're picky, there are patents that might cover telnet.
There is, for example, a patent on remote execution of commands which
covers all of HTTP, RPC, telnet and ssh. The applicability of this
patent is highly debated but not judged yet. If you want to find it, try
http://ep.espacenet.com/advancedSearch?locale=en_EP

				Tonnerre
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
Url : http://OpenISO.org/pipermail/discuss/attachments/20070908/5cb3b6c2/attachment.pgp

More information about the Discuss mailing list