On Fri, 14 Feb 2003, Illtud Daniel wrote: > Mike Miller wrote: > > > > Here's a simple question: Why can't VNC server and viewer just use > > established SSH protocols to communicate? Incorporate OpenSSH code > > into the server and PuTTY (or whatever) code into the viewer. Isn't > > that workable? > > Then what happens when an exploit for OpenSSH is discovered? That's the > problem with 'incorporating' OpenSSH into VNC, you've then got to keep > that code in sync with any security fixes to OpenSSH, and that's > suddenly more of a job.
OK, but I would rather have a VNC with a vulnerable OpenSSH incorporated than with no SSH at all. When a security hole was found in OpenSSH a while back, I was seeing lots of attempts on port 22. I get almost nothing, ever, on ports in the 59xx range. Adding a little encryption should only improve security, even if it is vulnerable encryption. > Also, openssh isn't a stand-alone package: [snip] > Leaving aside the initscripts, ld, various libcs and libdl, that's > libcrypto (from openssl for crypto routines, natch) and libz (zlib > compression). So it could bloat the code quite a bit? > Also, *implementing* crypto properly, even if starting from others' > code, is *damn difficult* - and probably not something you want to be > dabbling with if it's not your forte. I'll hope that someone out there has the skills. I sure don't. > There are plenty of encrypting windows versions of VNC to be had, but > unless somebody's got a really good idea about incorporating encryption > in the RealVNC cross-platform codebase, I'd rather leave it out. Maybe we'll get lucky and someone will figure it out. In the meantime, I'll use portforwarding or I'll live without encryption. Mike _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] http://www.realvnc.com/mailman/listinfo/vnc-list
