Stephen Farrell <stephen.farrell@xxxxxxxxx> wrote:
>>> Hiya,
>>>
>>> On 02/12/2020 23:19, Scott O. Bradner wrote:
>>>> I fully agree with John
>>>> I see no justification to move telnet &/or FTP to historic since they are in use (even if
>>>> some people would rather that not be the case) and neither presents a clear danger
>>>> to the proper functioning of the Internet
>>>
>>> I gotta wonder about that last. Wouldn't it be credible to
>>> argue that telnet is in fact a real danger, if one looks at
>>> all the CVEs that've reported on ports with admin/admin
>>> access? I'm not sure if it'd be the right thing to do, but
>>> I do think one can credibly argue that deprecating telnet
>>> might be worthwhile.
>>
>> Default passwords with admin/admin is an orthogonal issue. It can happen just as
>> easily with SSH or HTTPS as with TELNET. Telnet has risks but don’t blame TELNET
>> for bad password selection.
> Well, yes and no. With telnet that credential is leaked
> to everyone listening on the network and with ssh, mostly
> there's sshd_config that can be used to repair a dodgy
> initial deployment.
Replacing telnet with ssh and still using passwords that never get changed is
less secure in my opinion. You mention "sshd_config", but frankly, if you
knew how to do that, then you wouldn't have the problem in the first place.
At least nobody pretends telnet is secure.
