In “Yajiuma no Mori”, we will tell you about a wide range of topics that are not limited to news and reviews.
Electronic public notice of the Institute for Cyber Technology and Internet Freedom. “TELNET over SSL” version is now available
Yesterday, I reported that the Cyber Technology and Internet Freedom Research Institute’s electronic announcements are being made using ‘Telnet’, but it seems that there was a complaint that ‘it’s plaintext communication even though it claims security’. In response to that, it seems that the “TELNET over SSL” version was released immediately.
The TELNET electronic announcement seems to have finally released the TELNETS (TELNET over SSL) version today in response to the voice that “TELNET is dangerous because it is not encrypted”.
openssl s_client -connecthttps://t.co/FFDjjLWa3E
It seems that you can connect with over SSL.pic.twitter.com/Lso2Zo68Xh
— Daiyuu Nobori (@dnobori)September 6, 2023
Install “OpenSSL” to view “TELNET over SSL” version electronic public notices
“OpenSSL” is required to view the “TELNET over SSL” version of electronic public notices in a Windows 11 environment. Type the following command in “Command Prompt” etc. and install it quickly.
By the way, “winget” is a command of the package management system (Windows Package Manager) for the Windows platform developed by Microsoft. It is convenient to install various applications with one command like this.
“winget” can be used without administrator privileges, but in that case, be aware that a UAC dialog will be displayed when installing a package (app).The downloaded “OpenSSL” package isBinaries distributed with “Shining Light Productions”. Although not provided by the “OpenSSL” project itself, it is a widely used distribution and seems to be quite reliable.
After the installation of “OpenSSL” is completed, find “Win64 OpenSSL Command Prompt” from the[Start]screen and launch it. Go to the installation folder (C: Program FilesOpenSSL-Win64bin) with “Command Prompt”, pass the path to the folder (register the folder in[Path]of the environment variable), and directly hit “openssl.exe”. may be Anyway, if the version etc. is displayed, “OpenSSL” is properly installed.
Locate and launch “Win64 OpenSSL Command Prompt”
After confirming that “OpenSSL” can be started, change the code page to “UTF-8”. This is because electronic public notices are delivered in “UTF-8” encoding. The default value of “Command Prompt” is “Shift JIS” encoding, so you need to change it to display without garbled characters.
All you have to do is connect to “koukoku.shadan.open.ad.jp” with the “OpenSSL” client (s_client).
openssl s_client -connect koukoku.shadan.open.ad.jp:992
Rewrite the code page and use “openssl s_client -connect”
However, according to the Cyber Technology and Internet Freedom Study Group, in response to the indication that “Telnet is plain text and the communication path is not encrypted, there is a vulnerability (fear of man-in-the-middle attack) that the contents of communication can be tampered with.” is not “reasonable”.
This is because no matter how much you protect it with server certificates and encryption, the essence of the Internet is nothing more than a bucket brigade that “almost consists of a gentleman’s agreement trust model”, and attacks such as BGP hijacking that betray it cannot be prevented. In other words, “Telnet” and “HTTPS” can be tampered with. “HTTPS”, where anything can be posted, can lead to client hijacking if the content is tampered with, but “Telnet”, which uses only plain text, has no such fear.
In addition to that, the study group has responded to each point pointed out by users as “supplements”, and at the time of writing, the number of supplements has increased to eight (in the case of the “TELNET over SSL” version).
Answer to the point that Telnet might have vulnerabilities (2023/09/01 (Mon)) Answer to the point that Telnet is plain text and should be TLS encrypted (2023/09/05 (Tue) 14:20) The answer to the question of whether content should be delivered in plain text even over HTTP/HTTPS connections (2023/09/05 (Tue) 19:15) Telnet server published at the beginning “Shift JIS” character code is used, but “UTF-8” should be used (2023/09/05 (Tue) 20:45) 2023/09/05 (Tuesday) 21:13) Packet capture of the Telnet distribution server revealed that one TCP packet was used per character, but this is useless communication and is combined into one packet. Response to the complaint that it should not be done (2023/09/05 (Tue) 22:20) We attach an access counter to the electronic public notice, but if there is a user who publishes the screenshot on SNS, we will compare it with the log Answer to the complaint that it is possible to determine the IP address (2023/09/06 (Wednesday) 06:15) Answer to the complaint that a system alert was raised when connecting with “Telnet” (2023/09/06) (Wed) 07:34)
It takes a hell of a lot of time to display all of them, but it’s quite interesting, so please check it out with your own eyes.
