On Nov 24, 2014, at 11:04 AM, Les Mikesell <lesmikesell at gmail.com> wrote: > On Mon, Nov 24, 2014 at 11:38 AM, Leon Fauster > <leonfauster at googlemail.com> wrote: >> >> best practice is to not use clear text protocols anymore. > > Umm, yeah. Encrypted protocols would never be compromised…. That’s absolutist thinking. There is no such thing as absolute security. There is, however, such a thing as illusory security. in.telnetd is a fine example of this. Study the OpenSSH list of fixed security problems: http://www.openssh.com/security.html I see only three that are attacks against the protocol itself, which is all that’s within the scope of argument here. Everything else is an attack on some other part of the system which would apply to other programs, regardless of encryption. (e.g., A buffer overflow is a buffer overflow whether encrypted or not.) Regardless, that list is pretty short for such a popular, security-focused 15-year-old program. Now compare telnet: always vulnerable, all the time, since the day it was created, before most of the people on this list were born: http://tools.ietf.org/html/rfc15