. . . I'm not a networking guru . . .

Don't take this the wrong way, but: Stop now, because you don't know enough and you're probably going to screw something up (as if the mention of Telnet in the context of secure protocols didn't prove that already :). In all likelihood you probably don't even know what you don't know (if I may wax Rumsfeldian).

There's an entire very good book on the subject which one probably could summarize in one sentence: "Security is hard; doing security correctly, even for people that know what they're doing, is hard and even the experts often make mistakes.".

Now that I've at least hopefully dulled your hopes, let me say that I'm not saying 100% that you shouldn't do it (more like 99.8% that you shouldn't, lowered to a 99.4% once you've read Schneier and understand more of the implications of what you're proposing). But don't undertake this lightly and make sure you pay attention to prior art and reuse proven, tested components where possible.

And if the desire persists, repeatedly apply the Schneier book to the forehead until the urge passes. :)

Rather than sneer at my naievety I'd appreciate it and I am sure others would if you'd explain as if to a four year old why Telnet can't be used. As for your other comments, there's an old arab proverb that goes like this:

He that does not know and does not know that he does not know is a fool, shun him.

He that does not know but knows that he does not know can learn, teach him.

There are two more combinations of this, but I fall into the second, not the first category in this regard. My nickname alone proves it. In one role three years ago I had to do a month's training in mobile phone networks and was paid top freelance rates during that month. So some people must believe in my ability to learn, even if you don't.

-M

Free your mind

Oop, you did take it the wrong way. Let's try again: It's not necessarily that I don't think you can't learn, it's that even if you do doing what you want to do correctly is hard even for the people who've been doing it for much longer (again, read the Schneier book).

Sure amateurs can launch rockets into space now, but I wouldn't sign up for a ride from the guy that just picked up a copy of Rocketry For Dummies two months ago and thinks he's the second coming of Goddard or von Braun. I'd be more comfortable with someone like Burt Ruttan that has lots of experience in a related field (aerospace) who's studied prior art and is building on top of it.

Likewise you should be wary using the protocol written by someone who just read the IO::Socket man page last week. If you're going to move to a new protocol, you want it to have been written by someone familiar with protocol design who uses what's currently considered accepted best practices.

And as for why you don't use telnet, it has no encryption whatsoever. Any information (such as your login and password) are sent in the clear over the network meaning any schmuck with a network tap at any point between source and destination can see everything. SSH was designed to correct this deficiency and also provide stronger authentication than was used by the Berkeley "r" services (rsh, rlogin).

(Did I mention read the Schneier book? Because you really should.)

Update: Gah, got my Ruttans mixed up; had Dick, his brother, instead. ENOCAFFEINE.

Re: telnet

There have been some password files snatched due to a bug in telnet. There are lots of links to look for with your favorite search engine. Here's one such report from my favorite web-magazine: http://www.theregister.co.uk/2007/03/01/solaris_security_worm/