I wouldn't use them :-) I personally don't see this as any more risk than my browser telling the web host what I am using, or the server telling me what software it is running. We already get very rudimentary info from the RFB version.
Right now I audit using a platform specific tool. Having an extension to vnc that would report its' version and flavor would allow me to monitor/audit multiple platforms. Obviously this would only work if the vnc server was updated with this info on al the platforms I need. Adding in the support isn't a big deal. I can compile my own. We need a standard. I feel this is a very valid request, even if it will never happen. -----Original Message----- From: William Hooper [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 18, 2003 12:32 PM To: [EMAIL PROTECTED] Subject: RE: Wish: Version Query :VSMail mx3 > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Tuesday, March 18, 2003 3:18 PM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: Wish: Version Query :VSMail mx2 > > > It would be nice to be able to audit my network to see if > there were any > clients vulnerable to said exploit. It works both ways. > > Security through obscurity is folly. If the port is open then > it is open. > Reporting the version is after the fact. I agree, security through obscurity is not security. On the other hand, reporting the version gives an attacker just another piece of information that is not needed by an authorized client. Auditing the network can be done a number of different ways now that don't involve even connecting to the VNC server. In fact if it is a large enough network that I would want auditing for VNC, I would want auditing for a number of different programs. And again, unless everyone adds this some versions won't give you this information, so how do you audit those? -- William Hooper _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] http://www.realvnc.com/mailman/listinfo/vnc-list _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] http://www.realvnc.com/mailman/listinfo/vnc-list
