On Wed, 28 Aug 2002, Wes Groleau wrote: > Mike Miller wrote: > > difficult for someone to get into my box by a VNC exploit. Am I > > wrong? Wouldn't they have to sniff packets and decrypt to get the > > password? I suppose it can be done, but I don't know that anyone is > > doing it. > > Unless you have added encryption to it, the passwords are not encrypted.
Please explain the discrepancy between the claim above and FAQ #55: http://www.uk.research.att.com/vnc/faq.html#q55 excerpt: "VNC uses a challenge-response password scheme to make the initial connection: the server sends a random series of bytes, which are encrypted using the password typed in, and then returned to the server, which checks them against the 'right' answer." It seems to me that Wes is incorrect. The password is encrypted, but the encryption is not particularly strong. Someone would have to have a VNC-specific decrypting program working with their sniffer to get the password. Which is as I thought: More work than most people would bother to do. Mike _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] http://www.realvnc.com/mailman/listinfo/vnc-list
