Am 15.12.2018 um 23:08 schrieb Taylor R Campbell
<campbell+netbsd-tech-userle...@mumble.net>:
>> Date: Sat, 15 Dec 2018 22:38:10 +0100
>> From: Anders Magnusson <ra...@ludd.ltu.se>
>>
>> I'm pretty sure that all users of telnet know what the implications
>> are. If they don't then it doesn't matter whether it is in base or not.
>
> One of the implications at the moment is that anyone on the internet
> between you and the remote host can crash your telnet client[*] with
> no user interaction beyond making a connection.
Block http/https and Javascript if you want security on the internet...
>
> This is _not_ the traditional and by now well-understood security
> problem of telnet that it has no secrecy or authentication. And
> cursory examination of the telnet code -- together with its origins in
> an era when the internet was a safe place -- does the opposite of
> inspiring confidence that this hole is isolated.
The internet was never a safe place and nobody ever claimed it was. It was
insecure from the beginning, by design.
>
> Given that a large fraction of respondents (though not all) indicated
> that their primary use of telnet is to test reachability of a server
> or manually enter SMTP or HTTP requests over the internet -- a use
> which is adequately served by the much smaller and much more
> confidence-inspiring usr.bin/nc -- I think this _does_ constitute a
> serious danger that warrants the scrutiny it is getting.
I disagree. Both telnet and telnetd are still valid citizens in NetBSD Town.
>
>
> [*] Whether it can lead to arbitrary code execution, I don't know, and
> I'm not interested in studying further to find out; it doesn't
> take much to get arbitrary code execution, like a single null byte
> heap buffer overflow:
>
> https://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html
