I think Most people here understand the limitations of this encryption, but I think a great many of us are just looking to not have passwords going out in plain text. Right now, I believe that deploying ssh in a windows environment is not feasible on a corporate level. When I can double click on a vnc icon and it will connect using an ssh tunnel, and when I feel that Cgywin is cleaned up enough and I don't think it poses security problems I might set it up. For now at least zvnc is slightly more secure.
Of course I would really like to see a plugin for ultravnc which I am planning on deploying around version 1.1 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 18, 2003 4:15 AM To: [EMAIL PROTECTED] Subject: Re[2]: automatic encryption I had the time to look into zvnc, and I found it to be "cool". It is indeed impressive, in terms of simplicity. However, this is one more proof that you cannot really "make encryption simple". But let's start with the beginning: the model. You have a tool which uses zebedee to tunnel tcp connections to vnc. What's wrong with this picture ? The problem is: even if you firewall the "non-encrypted" ports you still rely on zebedee AND vnc for the server security. Now it's clear, if you have a hole in VNC OR in zebedee the server security is gone. On the other hand, if you have a vpn+vnc or ssh+vnc setup (and of course you firewall the vnc port, this is the first thing to do if you use ANY encrypted setup) then you have a problem only if you have a problem with ssh (or whatever tunnel software you're using). In fact a normal server (without anyone connecting to it) will be safer with normal vnc than with zvnc. And I am not talking about any bugs, only about the model. Now, about the encryption. I don't have time to investigate in details, but looks like there is no authentification between the server and client. I mean the client doesn't know who is talking to. Most people think it's simpler to sniff some traffic; actually in most cases it's easier to impersonate the server (and in most cases if the attacker can sniff the traffic he can also hijack a connection or impersonate the server). And of course, if the attacker can impersonate the server then it's game over in more than one way. Bottom line: zvnc it's a bulletproof solution ? No. I wouldn't use it to access for my home computer (leave aside the fact that it's windows only). But there are people using plain vnc over internet, or win2k machines without one patch, or setups like root / no password. I think zvnc is better :-). Does zvnc has a future ? Probably yes, I would say. I would prefer of course a trusted solution, like ssh (and you get also file transfer capabilities, which are needed sooner or later), but as we seen there is a need for a "all in one" tool. Saturday, February 15, 2003, 22:11:47, Dave wrote: DD> It's time for my periodic plug and plea for encryption support in DD> the major branches of VNC. DD> The plug: zvnc is a variant for windows which incorporates the same DD> encryption as tunneling with zeebeedee into regular vnc. It's been DD> in use for over a year now, with many users and no complaints. DD> Unlike tunneling with zeebeedee or ssh, it's trivial to set up and DD> use. DD> See: http://home.attbi.com/~davedyer/znc/zvnc.html DD> The plea: It's not my intent to start or support a new major branch DD> of vnc. I took some pains to make this branch minimally invasive to DD> the vnc sources - all the hair is in an external library based on DD> zeebeedee. I fervently hope the maintainers of the main branches of DD> vnc will give it a look. _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] http://www.realvnc.com/mailman/listinfo/vnc-list _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] http://www.realvnc.com/mailman/listinfo/vnc-list
