> Date: Fri, 14 Dec 2018 09:46:08 +0100 > From: Edgar Fuß <e...@math.uni-bonn.de> > > > Y'all seem to think it's totally reasonable to telnet in the open internet > What's the problem with "telnet www.uni-bonn.de http"?
If the telnet client is remotely exploitable then that exposes you to exploitation by www.uni-bonn.de and by anyone on the internet between you and www.uni-bonn.de. The attack surface is unmaintained network code from the '80s. > Date: Fri, 14 Dec 2018 02:13:40 -0800 > From: John Nemeth <jnem...@cue.bc.ca> > > This statement is total nonsense. It works just fine. And, > it's not like there is a crap-ton of CVEs against it. In fact, > there have been almost none, which is pretty impressive considering > how old the code is. This reflects how little attention telnet has gotten, not how much scrutiny it has withstood. If it is used only on a carefully isolated network for something like a serial management console, that's not really worse than the security of a lot of management console tooling, but it's not clear to me that it needs to be in base any more than ipmitool or amtterm. We should at least have warnings on it until someone takes up maintenance not to use it on the open internet.
