On Sat, 13 Sep 2003, Michael Herman wrote:
I would like to point out that VNC is not secure.
>From the realVNC FAQ:
> Is VNC secure?
>The only really secure computer is one without a network. VNC >requires a password when a viewer tries to connect to a server. This password >is encrypted to deter snooping, but the following graphical data, the VNC >protocol, is not.
In other words, if you are using VNC across the Internet without some sort of tunnel (SSH, IPSEC, PPTP), you are exposing your data and information to the world.
Please, please, please be careful.
Thank you for your concern. I hear that it is possible for someone snooping network traffic to set up a program that will decode the VNC stream and allow them to see what I'm doing. Is that true? I think that most packet sniffing is limited to searching plain text for username/password. Am I wrong?
'Decoding' the packet stream isn't all that difficult. The information
entered into fields is transmitted as text inside the packet. Usernames,
passwords, credit card information, etc. will all be visible to a hacker who
is looking for it.
Please don't think I am down on VNC. I think it is a great tool and I use it all the time, both securely and insecurely. I think it is important to remember that VNC does not provide a security mechanism other then the encrypted password. It's also important to remember that most of the Internet (web, email, chat, news, etc) are insecure. You wouldn't give your credit card on the web without HTTPS (encrypted, secure web page) would you?
I posted my original e-mail after an off-list discussion with someone who,
using Windows 98 on both the client and server, wanted to connect to work.
This person appeared to be, from their e-mail signature, an human resources
director for a company. HR people generally deal in confidential
information and I certainly would want the HR people at the company I work for
to not expose any information about me to the web without some security
mechanism.
-- Michael _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
