Many small business owners have built their own websites, going through the challenging process of understanding how to create HTML pages, optimize images, and upload the data to the Web server hosting the site. These entrepreneurs likely get their files online using an FTP program that telnets into the server. If you are a telnet user, it's time to replace it with the new data transfer program SSH, for two reasons:

Telnet Vulnerability #1: Web sniffers
In order to log in to a Web server using telnet, you identify yourself with a username and password. When you type in the password, the text is not displayed on your screen to prevent someone who could be looking over your shoulder from seeing this confidential information.

While your password is not visible to those looking at your computer screen, the same is not true for online snoops. When the telnet software sends this data to the Web server, it does not encrypt the information, which would make it difficult to decode. Rather, it sends your "secret" information across the Web as a packet of plain text!

Using one of the most basic hacking tools called a "sniffer," other Internet users could learn your password and gain access to the back-end of your server, at which point they could significantly damage your website, your confidential information, and your reputation.

Telnet Vulnerability #2: Buffer overflow, overload
On July 18, 2001, people discovered that many Web servers are vulnerable to an exploit known as a buffer overflow in telnet. Specifically, the vulnerability applies to the server side component of telnet, known as the Telnet Daemon, or telnetd, which is used on most Web servers running variations of UNIX, from Linux through the BSD family and Solaris. (This does not apply to Microsoft servers.) The experienced Unix/Linux community is reacting quickly to close the hole. As a result, some Web hosts are actually shutting down telnet access to their servers.

The SSH advantage
Due to the holes in telnet, many Web professionals prefer the more secure SSH, which stands for "Secure Shell." Telnet could now be called "Unsecure Shell," where the "shell" refers to shell access. This level of access is similar to reaching the C: command prompt in DOS, where you have access to the full operating system. Hackers want to gain shell access, so they can wreak havoc with your site as well as damage other sites on the server if multiple sites are hosted.

The main reason to use SSH instead of telnet is that those previously highlighted vulnerabilities do not exist. Your "secret" information is encrypted before it is sent over the Web to the server and back, meaning even if someone managed to intercept the data package, they would not be able to read it without the encryption keys. These keys are on your computer and the Web server only. Neither does SSH have the buffer overflow vulnerability recently found in telnet.

Using a program like SSH may involve learning a few new commands, but once you master the basics, using SSH is simple.

SSH will not guarantee that your site cannot be hacked. SecuritySpace.com, a website focused on eSecurity issues, reports that hackers can break into your system via more than 400 known vulnerabilities. Nevertheless, SSH provides a good starting point toward achieving a less hackable site.

More reading:

• CERT advisory about the server exploit: www.cert.org/advisories/CA-2001-21.html
• SSH Secure Shell: www.ssh.com
• Some versions of SSH:
  • Absolute Telnet: www.celestialsoftware.net/telnet/
  • PuTTY: www.chiark.greenend.org.uk/~sgtatham/putty/ — a free Win32 Telnet/SSH Client: many swear by it, but it is not a good beginning for the faint of heart
  • SecureCRT: www.vandyke.com/products/securecrt/index.html — affordable, solid, all-in-all not a bad product, but still not "drag-and-drop"