Hello, I'm a bit confused.
I currently use VNC (the Tight flavour) through an SSH tunnel, so I'm not really concerned, but I thought (from other discussions found in the archives) that VNC was *quite* secure as info/updates was/were sent over the network as images (increasingly compressed, using either Tight or the new VNC 4 encoding). So this assumption is *wrong*, and any text typed in a VNC window is in fact sent as plain text, and so *easily* tapped??? [[ this is what "information entered into fields is transmitted as text inside the packet" leads me to conclude ]]. Thanks for any definitive light on the subject. Chris >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of >[EMAIL PROTECTED] >Sent: 16 September 2003 13:00 >To: [EMAIL PROTECTED] On Sun, Sep 14, 2003 at 01:51:58PM -0500, Mike Miller wrote: >On Sat, 13 Sep 2003, Michael Herman wrote: > >> I would like to point out that VNC is not secure. >> >> >From the realVNC FAQ: >> >> > Is VNC secure? >> >> >The only really secure computer is one without a network. VNC >> >requires a password when a viewer tries to connect to a server. This password >> >is encrypted to deter snooping, but the following graphical data, the VNC >> >protocol, is not. >> >> In other words, if you are using VNC across the Internet without some >> sort of tunnel (SSH, IPSEC, PPTP), you are exposing your data and >> information to the world. >> >> Please, please, please be careful. > > >Thank you for your concern. I hear that it is possible for someone >snooping network traffic to set up a program that will decode the VNC >stream and allow them to see what I'm doing. Is that true? I think that >most packet sniffing is limited to searching plain text for >username/password. Am I wrong? > 'Decoding' the packet stream isn't all that difficult. The information entered into fields is transmitted as text inside the packet. Usernames, passwords, credit card information, etc. will all be visible to a hacker who is looking for it. Please don't think I am down on VNC. I think it is a great tool and I use it all the time, both securely and insecurely. I think it is important to remember that VNC does not provide a security mechanism other then the encrypted password. It's also important to remember that most of the Internet (web, email, chat, news, etc) are insecure. You wouldn't give your credit card on the web without HTTPS (encrypted, secure web page) would you? I posted my original e-mail after an off-list discussion with someone who, using Windows 98 on both the client and server, wanted to connect to work. This person appeared to be, from their e-mail signature, an human resources director for a company. HR people generally deal in confidential information and I certainly would want the HR people at the company I work for to not expose any information about me to the web without some security mechanism. -- Michael _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
