On Tue, 6 Jun 2006, Alex Pelts wrote:
IMHO, VNC people did all they could to fix the problem and post the
update. It is up to the users to make sure they are up to date. If you
do not like RealVNC security record you are always free to run any other
software. There are really many choices you can make:
1. Run VPN with strong authentication and use your VNC over VPN.
2. Run ssh and tunnel over ssh, which is really equivalent to #1
3. Keep your VNC up to date if you insist on exposing it to the net.
4. Run any other software that you deem more secure.
These are good ideas, but we should note that #1 and #2 above would not
protect you from attack unless VNC was not accepting connections from
outside SSH or VPN. You must set the RealVNC server to "Only accept
connections from the local machine":
http://www.realvnc.com/products/free/4.1/winvnc.html
Then use SSH port forwarding in combination with that so that an attacker
would have to connect by SSH to get access to VNC. Otherwise, your use of
SSH would have protected you from snooping, but it did not protect you
from the major vulnerability that was discovered last month.
Mike
_______________________________________________
VNC-List mailing list
[email protected]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
