My error. Except for the password, every thing else is sent in the
clear, including any passwords you might type after your initial connection.
Scott C. Best wrote:
Kevin:
Heya. I felt compelled to reply, as your VNC password
information is very misleading.
Telnet and FTP actually *do* send passwords in the clear.
That is, if you actually captured packets in transit, you'd see
the password right there. However, VNC absolutely does not do this.
VNC uses challenge-response authentication, well decribed here:
http://en.wikipedia.org/wiki/Challenge-response_authentication
In VNC, I believe it works as follows: the server generates
a random value "N", and encrypts it using the saved VNC password.
When a VNC client connects, it receives this "encrypted challenge".
The Viewer then decrypts the value "N" using the password provided by
the user into the Viewer. It then performs a simple operation (eg,
calculates "N+1"), encrypts that and sends it back as the "response".
If the "response" is correct, the Server knows that the Viewer user
knows the correct password. And while enough information has gone
by in the wires for someone to *deduce* the password (ie, if a
malicious user knows the challenge string, the response string,
and the exact "simple operation" in the source), the password itself
cannot fairly be said to be "in the clear".
Otherwise...I agree with your assertion that leaving any
service open to direct connections from the Internet is asking
for trouble. I use EchoVNC to avoid this.
cheers,
Scott
That is a pretty dangerous configuration you have there. VNC transfers
passwords in the clear, so it is no more save as a WAN protocol than
'Telnet' or 'FTP'...
<snip>
_______________________________________________
VNC-List mailing list
[email protected]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
_______________________________________________
VNC-List mailing list
[email protected]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
