VNC is "hackable" (was "VPN and VNC")
Jonathan Morton
chromi@chromatix.demon.co.uk
Fri Aug 30 08:18:00 2002
>>>Unless you have added encryption to it, the passwords are not encrypted.
>>
>>Please explain the discrepancy between the claim above and FAQ #55:
>
>I will freely admit that I have not studied the source code
>thoroughly. I can think of three possible explanations for
>the discrepancy. There may be others.
>
>1. This feature was added in the last four months.
>
>2. The document you cited is inaccurate.
Passwords are authenticated on-the-wire using a challenge/response
algorithm. For storage on the server, they are typically stored in a
reversible, obfuscated fashion, but not really encrypted. The
rationale, I believe, is that if you can read the password from the
machine, it's as good as hacked anyway without VNC's help.
>3. Several people on VNC mailing lists don't know
> as much as they seem to know.
I think most of the "old timers" know enough - VNC is a simple enough
system that it's hard to forget.
--
--------------------------------------------------------------
from: Jonathan "Chromatix" Morton
mail: chromi@chromatix.demon.co.uk
website: http://www.chromatix.uklinux.net/
geekcode: GCS$/E dpu(!) s:- a21 C+++ UL++ P L+++ E W+ N- o? K? w--- O-- M++$
V? PS PE- Y+ PGP++ t- 5- X- R !tv b++ DI+++ D G e+ h+ r++ y+(*)
tagline: The key to knowledge is not to rely on people to teach you it.