There's more to session security than simply visibility of key-presses to
nosey network neighbours. Without proper tanper-proofing, for example,
it's
possible for an attacker to gain access to a system by listening in on an
established session & hi-jacking it.
Right, but is it true that the extra security features can prevent this?
On an earlier thread I started, "Session encryption", one respondent said:
"Encryption will not help prevent 'session hijacking'. It's used just to
insure the privacy of your communication. Anything you do over an
un-encrypted VNC connection can be captured, saved and replayed in the
future. That kinda gives me the creeps. :)" Which I perhaps incorrectly
took to mean that (a) the extra security features in the better VNC editions
won't prevent session hijacking, (b) they will prevent decrypting of the
data flowing in the session, (c) if the data aren't confidential and I don't
type e.g. passwords, then (b) doesn't buy me much.
Of course, at that time you replied "The session security provided by VNC
Enterprise & Personal Editions encrypts the data to prevent anyone able to
'snoop' the network from being able to read the session stream, as well as
tamper-proofing to prevent harmful session-rewrite attacks, protection from
brute force attacks, server identity verification, etc."
From your response, again, the prevention of snooping on the content of the
session stream doesn't buy me much, but the tamper-proofing, protection from
brute force, server ID verification, etc, _does_.
Don't get me wrong; VNC is a great protocol and realVNC is a great product,
and I have nothing against buying licenses. Just wanna know what things do
and don't do.
Related question: I wasn't quite sure from the thread I started on password
security how hard it is for someone to steal the password if the
free/insecure version of realVNC is used. One respondent pointed out that
it uses a challenge-response method, so it's not like the password is being
sent in cleartext. (I'm asking because my users are using VNC to connect to
a solaris system, and they're not fond of having a VNC password and a
solaris login password. I've been loathe to let them make the passwords
identical because I wasn't sure about how secure the VNC password itself is
when it's sent from client to server.)
Regards,
S
Wez @ RealVNC Ltd.
-----Original Message-----
From: Stephen Fromm [mailto:[EMAIL PROTECTED]
Sent: 10 February 2006 11:32
To: James Weatherall; [email protected]
Subject: Re: I was hacked by a VNC user!
> We don't advise use of VNC Free Edition across the Internet
except via
> some
> sort of secure tunnelling protocol. VNC Enterprise &
Personal Editions
> have
> in-built session security for this purpose. All current VNC Server
> releases
> also support querying the local user to accept connections, which is
> advisable if you are concerned that the password you are
using is weak or
> widely known.
But if I don't type any passwords, etc, once my connection is
established,
what does the additional protection actually afford me?
(Meaning, again, if
the datastream itself doesn't need to be protected, but only
the password
and ability to connect to the server.)
Thanks in advance,
SJF
_______________________________________________
VNC-List mailing list
[email protected]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
