Public bug reported: Anonymous Diffie Hellman certificates do not provide identity verification (unlike x509 certificates). Therefore, while they provide link encryption, they do not guard against man-in-the-middle attacks. Google decided to drop support for these certificates in v6.0+ (API23): https://developer.android.com/reference/javax/net/ssl/SSLEngine.html
This means that my application, bVNC, (open-source VNC client for Android, https://play.google.com/store/apps/details?id=com.iiordanov.freebVNC) no longer works unless Vino encryption requirement is disabled (e.g. with gsettings set org.gnome.Vino require-encryption false)! This forces me to recommend other VNC clients - x11vnc or TigerVNC - for users that need to encrypt their VNC connections on Android 6+. For more background, see: https://groups.google.com/forum/#!topic/bvnc-ardp-aspice-opaque-android- bb10-clients/lINJkYJbN-U Both x11vnc and TigerVNC support VeNCrypt (with x509 certificates that support identity verification), and in my opinion, it is time for Vino, as the standard remote desktop solution for Ubuntu, to also consider supporting a modern encryption technique. In addition to x509 certificates, VeNCrypt also supports authenticating with a user name and an arbitrary length password, which means that if Vino so chooses, it can also utilize PAM and allow users to connect to their desktop machine with their actual Ubuntu credentials Furthermore, if we want to get really fancy, this means that we could launch vino at start-up and even allow people to connect to their machine when nobody is logged in like Mac OS X permits with its VNC server. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: vino 3.8.1-0ubuntu9 ProcVersionSignature: Ubuntu 4.4.0-31.50-generic 4.4.13 Uname: Linux 4.4.0-31-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.1 Architecture: amd64 CurrentDesktop: XFCE Date: Sat Aug 20 12:26:23 2016 InstallationDate: Installed on 2014-02-28 (903 days ago) InstallationMedia: Ubuntu 12.04.4 LTS "Precise Pangolin" - Release amd64 (20140204) SourcePackage: vino UpgradeStatus: Upgraded to xenial on 2016-07-30 (21 days ago) ** Affects: vino (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1615251 Title: By default, Vino requires insecure anonymous Diffie Hellman ciphers for encryption and is incompatible with Android 6+ devices To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/vino/+bug/1615251/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
