Why is Telnet Insecure?
Telnet lacks several security features. Avoid using it over public internet to prevent eavesdropping.
Telnet client and server sessions lack encryption. Text is sent as plain text. With access to the TCP/IP packet flow between hosts, you can intercept and re-establish endpoint data flow.
The interception allows for eavesdropping. Telnet was developed before the internet mainstream features took over; no wonder its encryption is a mystery.
The Secure Shell (SSH) protocol entrance made Telnet a legacy- functional but outdated- protocol. All the data, including passwords, usernames, and credit card details, are accessible to the man-in-the-middle. But equipped with a network debugging tool, you can avoid the network attack.
What is Telnet?
Telnet acquired its name from the phrase terminal network. It’s a teletype network protocol developed in 1969. The Telnet protocol allows you to connect to a host over the standard TCP/IP. It uses a command line communication interface (CLI) to connect a remote server(s) to a client. You can access two remote computers virtually in bi-directional, text-based, and collaborative communication. Telnet creates the remote sessions from the TCP/IP command. The web access uses HTTP and FTP to interact with the remote servers and clients.
How does Telnet work?
Telnet is a client-server protocol. You can access a server by opening a command line. Standard protocols enable physical connections for a Telnet virtual terminal connection emulator to a client Telnet uses the TCP/IP port number 23 for remote access. File Transfer protocols used with Telnet can transfer data files between the client and the server. Telnet prompts them to key in passwords and usernames to connect users remotely. The user can then run command lines as though they’re logged in to their computer personally. Despite the user's physical location, the IP address matches the logged computer instead of the physically connected one.
2 reasons why you should ditch Telnet
Here’s Richi Jennings’ report in January 2020, “A hacker had deliberately leaked a list of 515,000+ logins. It turns out there are countless devices on the internet with open telnet ports. And loads of them have an easily guessable username/password combos.”
Telnet is as old school as it sounds. Modern security features require networking protocols to prioritize data confidentiality, integrity, and authenticity. Encryption safeguards your data from any breach; packet sniffing, eavesdropping, etc.
Yet Telnet will expose you to these vulnerabilities. You can learn why you should avoid using Telnet and choose a better alternative;
1. Plain text passwords and usernames
As aforementioned, every data in transit over telneted computers are in plain text. Such a vulnerability poses threats to data privacy. An attacker can read passwords, log into user accounts and databases, and steal data. This forms the basis of doxxing, among other cyber security threats. Service providers and companies should alternatively hash and salt user passwords for security reasons. Salted and hashed passwords have extra data added to the password and scrambled uniquely. If an attacker accesses and steals the password, it won’t work because they cannot reverse the scrambled pattern.
Why is plaintext password risky?
- No restricted access
Plaintext characters are readable, and any (un)authorized person can access your account or company database. They decide what to do with the data. In case the person has malicious intentions, you will fall victim. An attacker may also use your password to log in to other accounts with encrypted passwords. Many brute force attacks have happened this way.
- Susceptibility to a man-in-the-middle attack
There are instances where you must share passwords. Email plaintext password sharing should not be your last option. Why? You send emails using a device, and the recipient should open it. The man-in-the-middle attacker collects all your shared data. Encryption protects you by encrypting the password before sharing.
- Guessable and predictable patterns
In case your plaintext password is intercepted and stolen while in transit, and you changed it concurrently, your friends, for instance, can guess your passwords just like they do to secret questions. Notably, some applications have pre-configured passwords known to serial intruders. Another way of messing up your password is to allow the local administrator to set it for you in your network.
- You lose private data
When an intruder steals your data (password) on the network when telneted computers communicate, you don't need to lose your data and right of ownership. Many users have reported instances where they have been doxxed and spammed.
2. No data encryption
Passwords shared among telneted computers are plaintext and remain unaltered. It has no hash version to convert and scramble it. Attackers put no significant effort into stealing it. Whenever you key in the password, there’s no sophisticated authentication required. An encrypted password appears like the one below;
Original: Pr@&ma_3
Hashed: X146Y085Z7CAN19BE248GO98OD
Salted passwords are even much better, though hashing is incomparable with plaintext.
Because Telnet faced a lot of vulnerabilities and posed many threats, Secure Shell (SSH) came in handy to resolve the issues.
Why is SSH better than Telnet?
SSH provides a more secure remote system connection. SSH secures user identification credentials, usernames, passwords, etc., from malice. It safeguards user anonymity on vulnerable networks. By default, it uses the TCP port 22, though you can change it. While Telnet lacks a secure authentication mechanism, you can authenticate SSH in two ways;
- Username and password
- Public/private keys
SSH encrypts data in transit over a network using the two keys; a public and a private key. When you encrypt data with a public key, only a private key can decrypt it and vice versa.
Whereas Telnet is used only in Linux and Windows OS, SSH is used in all popular.
Conclusion
Telnet network protocol was developed long before the mainstream internet connection. Being the pioneering protocol, it became obsolete with time as advancements in the dynamic tech world were developed. Telnet and SSH are both network protocols, but Secure Shell is the better option. Unlike the Telnet plaintext passwords and usernames, SSH encrypts data over the network, increasing security and privacy.