Point (2) is not true. VNC can be configured to only accept connections from
the loopback address, if desired. (3) is true, but has mitigating factors.
If you use a tunneling protocol that uses authentication, such as ssh, you
have a record of who opened the forwarded ports. You can also do security
based on host identity with SSH, it even has a public/private key system to
make sure the host is who it claims to be.
-----Original Message-----
From: Dave Dyer [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 16, 2001 1:17 PM
To: [EMAIL PROTECTED]
Subject: embedding secure tuneling (zebedee) in vnc
Tunneling works with VNC, but isn't a really satisfactory
solution for several reasons.
(1) it's a pain to set up initially,
(2) even if used properly, the insecure VNC port is still open.
(3) using a tunnel server opens another point of attack on the host
machine: for example, ZeBeDee's default server mode opens redirection
of all ports. If misconfigured in this way, any incoming request can
appear to be from the local host; and in any case, security measures
based on host identity are useless.
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
