Mike, Yes, Wes Groleau's statement was incorrect. Having dealt with the way that VNC handles the password both in the registry and over the network datastream, I can assure you that it is not passed in clear text.
Whether the VNC password security is sufficient or not depends greatly on your threat model. If you are just connecting over a small wire-based network where you trust everyone with physical access to the network, it is likely completely sufficient. If you are working across the Internet, extra encryption and better authentication are definitely going to be important. Keep in mind that the built-in VNC password encryption is for the VNC password only. If you connect to a system to find it at the login screen, then you will need to enter the username and password to login/logon. That user name and password (along with all other mouse and keyboard events) will cross the network unencrypted. The same would apply if you later needed to authenticate across the VNC connection to a database server or web server (for downloading some file to the VNC server system). So, as with the whole performance issue, what type of security works for you depends on your environment and requirements. In particular, how critical is the privacy of the data? Do untrusted individuals have access to the physical network, such as over the Internet or when wireless ethernet is in use? Brian > Message: 23 > Date: Wed, 28 Aug 2002 23:45:27 -0500 (CDT) > From: Mike Miller <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: [despammed] VNC is "hackable" (was "VPN and VNC") > Reply-To: [EMAIL PROTECTED] > > On Wed, 28 Aug 2002, Wes Groleau wrote: > > > Mike Miller wrote: > > > difficult for someone to get into my box by a VNC exploit. Am I > > > wrong? Wouldn't they have to sniff packets and decrypt to get the > > > password? I suppose it can be done, but I don't know that anyone is > > > doing it. > > > > Unless you have added encryption to it, the passwords are not encrypted. > > > Please explain the discrepancy between the claim above and FAQ #55: > > http://www.uk.research.att.com/vnc/faq.html#q55 > > excerpt: > "VNC uses a challenge-response password scheme to make the initial > connection: the server sends a random series of bytes, which are encrypted > using the password typed in, and then returned to the server, which checks > them against the 'right' answer." > > > It seems to me that Wes is incorrect. The password is encrypted, but the > encryption is not particularly strong. Someone would have to have a > VNC-specific decrypting program working with their sniffer to get the > password. Which is as I thought: More work than most people would bother > to do. > > Mike -- Brian ---------------------------------------------------------------------------- TridiaVNC Pro: finally, affordable remote control! http://www.TridiaVNCPro.com/ ---------------------------------------------------------------------------- Tridia's Mission: To always exceed our customers' expectations by providing the absolute best software products backed by outstanding technical support and customer service. Please let us know how we are doing: brian . blevins @ tridia.com or ceo-hotline @ tridia.com. _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] http://www.realvnc.com/mailman/listinfo/vnc-list
