[despammed] VNC is "hackable" (was "VPN and VNC")
Thu Aug 29 05:46:00 2002
On Wed, 28 Aug 2002, Wes Groleau wrote:
> Mike Miller wrote:
> > difficult for someone to get into my box by a VNC exploit. Am I
> > wrong? Wouldn't they have to sniff packets and decrypt to get the
> > password? I suppose it can be done, but I don't know that anyone is
> > doing it.
> Unless you have added encryption to it, the passwords are not encrypted.
Please explain the discrepancy between the claim above and FAQ #55:
"VNC uses a challenge-response password scheme to make the initial
connection: the server sends a random series of bytes, which are encrypted
using the password typed in, and then returned to the server, which checks
them against the 'right' answer."
It seems to me that Wes is incorrect. The password is encrypted, but the
encryption is not particularly strong. Someone would have to have a
VNC-specific decrypting program working with their sniffer to get the
password. Which is as I thought: More work than most people would bother