Michael:
Heya. I think I'm willing to split this hair over VNC
security.
First off, I agree with you that VNC users should try to
use a secure-tunnel whenever they VNC across the Internet. That
just a inarguable Good Idea. For those using VNC to remotely
administer their content-sensitive servers, I'm sure it's one of
the first things done.
However, I think you oversell this point by comparing
"giving a credit card over a insecure web browser" to using VNC
over an non-tunneled connection. First, when you press "Send"
on a web-browser form, all of the data in that form is sent at
once, in well-delineated form, making the data relatively easy to
identify. In a VNC session, by comparison, every *character* is
sent as soon as you type it, along with other RFB info to update
the visuals. That will make intercepting the data fundamentally
more difficult as it is "spread" across so many more packets, and
mixed in with so much other data.
Second, even with a secure-tunnel encrypting your data
across the wilds of the Internet, your packets can still be
sniff'd/recorded/played-back by a *local* user with malicious
intent. Sniffing wild packets off of the Internet is *very*
difficult and a federal offense in most countries. Sniffing
packets off of an ethernet hub is routine and, possibly, the
official *policy* if your network's administrator.
Put another way, good network security (and a good network
attack strategy) is to go after the biggest holes first. For VNC
users, the biggest weakness is usually choosing weak passwords. For
*all* Windows, the even-bigger weakness is reading email with
Outlook and not keeping up with MSoft's near-weekly release of
security patches. Maybe 5th or 6th on my list would be "running
VNC without a secure-tunnel". Your mileage may vary. :)
In closing, as I used to tell my IT clients and I'm sure
you know, the Black Hats don't want to break into your PC to steal
your credit card numbers. Not their intent. If it were, then the
rationalization I heard 90-percent of the time ("Oh, I don't keep
anything on that computer anyone would want to steal") would make
good sense. Instead, though, the Black Hats want to break into your
computer so that when they next try to crash EBay's servers, or
setup an illegal content reflector, they do it from *your* computer.
cheers,
Scott
> On Sun, Sep 14, 2003 at 01:51:58PM -0500, Mike Miller wrote:
> >On Sat, 13 Sep 2003, Michael Herman wrote:
> >
> >> I would like to point out that VNC is not secure.
> >>
> >> >From the realVNC FAQ:
> >>
> >> > Is VNC secure?
> >>
> >> >The only really secure computer is one without a network. VNC
> >> >requires a password when a viewer tries to connect to a server. This password
> >> >is encrypted to deter snooping, but the following graphical data, the VNC
> >> >protocol, is not.
> >>
> >> In other words, if you are using VNC across the Internet without some
> >> sort of tunnel (SSH, IPSEC, PPTP), you are exposing your data and
> >> information to the world.
> >>
> >> Please, please, please be careful.
> >
> >
> >Thank you for your concern. I hear that it is possible for someone
> >snooping network traffic to set up a program that will decode the VNC
> >stream and allow them to see what I'm doing. Is that true? I think that
> >most packet sniffing is limited to searching plain text for
> >username/password. Am I wrong?
> >
>
> 'Decoding' the packet stream isn't all that difficult. The information
> entered into fields is transmitted as text inside the packet. Usernames,
> passwords, credit card information, etc. will all be visible to a hacker who
> is looking for it.
>
> Please don't think I am down on VNC. I think it is a great tool and I use it
> all the time, both securely and insecurely. I think it is important to
> remember that VNC does not provide a security mechanism other then the
> encrypted password. It's also important to remember that most of the Internet
> (web, email, chat, news, etc) are insecure. You wouldn't give your credit
> card on the web without HTTPS (encrypted, secure web page) would you?
<snip>
_______________________________________________
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
