> > There's more to session security than simply visibility of > key-presses to > > nosey network neighbours. Without proper tanper-proofing, > for example, > > it's > > possible for an attacker to gain access to a system by > listening in on an > > established session & hi-jacking it. > > Right, but is it true that the extra security features can > prevent this?
Yes. [snip] > >From your response, again, the prevention of snooping on the > content of the > session stream doesn't buy me much, but the tamper-proofing, > protection from > brute force, server ID verification, etc, _does_. They're all important features if there is any possibility of an untrusted computer having access to any of the network infrastructure between your viewer & your server. Even on an conceptually "secure" office LAN, there are numerous threats such as viruses, root-kitted systems, malicious users, plus similar threats from any visitor who happens to connect equipment to your network. [snip] > Related question: I wasn't quite sure from the thread I > started on password > security how hard it is for someone to steal the password if the > free/insecure version of realVNC is used. One respondent > pointed out that > it uses a challenge-response method, so it's not like the > password is being > sent in cleartext. The VNC authentication is always conducted using a secure mechanism, a challenge-response scheme in the case of VNC Password Authentication. The brute-force attack prevention measures make it difficult to conduct a "dictionary" attack against a server, and the password stored at the server is obfuscated & file-system access restrictions applied. > (I'm asking because my users are using > VNC to connect to > a solaris system, and they're not fond of having a VNC password and a > solaris login password. I've been loathe to let them make > the passwords > identical because I wasn't sure about how secure the VNC > password itself is > when it's sent from client to server.) If they're typing their Solaris password in over an unencrypted session then in theory a third-party could snoop the session, pick up that password, and then use it to access the system, regardless of whether it's the same as their VNC password. If there is any possibility of sensitive information being typed into a session, then the session should really be secured. (With VNC Enterprise Edition, they'd be able to log in securely, and using their standard Solaris username & password.) Regards, Wez @ RealVNC Ltd. _______________________________________________ VNC-List mailing list [email protected] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
