On Fri, Feb 10, 2006 at 08:27:39AM -0500, Stephen Fromm wrote: > >There's more to session security than simply visibility of key-presses to > >nosey network neighbours. Without proper tanper-proofing, for example, > >it's > >possible for an attacker to gain access to a system by listening in on an > >established session & hi-jacking it. > > Right, but is it true that the extra security features can prevent this? >
If they are designed correctly. > On an earlier thread I started, "Session encryption", one respondent said: > "Encryption will not help prevent 'session hijacking'. It's used just to > insure the privacy of your communication. Anything you do over an > un-encrypted VNC connection can be captured, saved and replayed in the > future. That kinda gives me the creeps. :)" Which I perhaps incorrectly > took to mean that (a) the extra security features in the better VNC > editions won't prevent session hijacking, (b) they will prevent decrypting > of the data flowing in the session, (c) if the data aren't confidential and > I don't type e.g. passwords, then (b) doesn't buy me much. > One thing SSL is used for is to prevent man-in-the-middle attacks (which is basically the same as hijacking a session). Any reasonable session security setup should provide the same thing (and afaict the Enterprise & Personal Editions do provide this, based on what I've read). > Related question: I wasn't quite sure from the thread I started on > password security how hard it is for someone to steal the password if the > free/insecure version of realVNC is used. One respondent pointed out that > it uses a challenge-response method, so it's not like the password is being > sent in cleartext. (I'm asking because my users are using VNC to connect > to a solaris system, and they're not fond of having a VNC password and a > solaris login password. I've been loathe to let them make the passwords > identical because I wasn't sure about how secure the VNC password itself is > when it's sent from client to server.) I don't know this either, but because I'm paranoid I run the VNC server with -localhost and make all my connections to it through an ssh server. > > Regards, > > S > > >Wez @ RealVNC Ltd. > > > > > >>-----Original Message----- > >>From: Stephen Fromm [mailto:[EMAIL PROTECTED] > >>Sent: 10 February 2006 11:32 > >>To: James Weatherall; [email protected] > >>Subject: Re: I was hacked by a VNC user! > >> > >>> We don't advise use of VNC Free Edition across the Internet > >>except via > >>> some > >>> sort of secure tunnelling protocol. VNC Enterprise & > >>Personal Editions > >>> have > >>> in-built session security for this purpose. All current VNC Server > >>> releases > >>> also support querying the local user to accept connections, which is > >>> advisable if you are concerned that the password you are > >>using is weak or > >>> widely known. > >> > >>But if I don't type any passwords, etc, once my connection is > >>established, > >>what does the additional protection actually afford me? > >>(Meaning, again, if > >>the datastream itself doesn't need to be protected, but only > >>the password > >>and ability to connect to the server.) > >> > >>Thanks in advance, > >> > >>SJF > _______________________________________________ > VNC-List mailing list > [email protected] > To remove yourself from the list visit: > http://www.realvnc.com/mailman/listinfo/vnc-list > -- Infinite complexity begets infinite beauty. Infinite precision begets infinite perfection. _______________________________________________ VNC-List mailing list [email protected] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
