Re: automatic encryption
Tue Feb 18 09:22:00 2003
I had the time to look into zvnc, and I found it to be "cool". It is
indeed impressive, in terms of simplicity. However, this is one more
proof that you cannot really "make encryption simple". But let's start
with the beginning: the model. You have a tool which uses zebedee to
tunnel tcp connections to vnc. What's wrong with this picture ? The
problem is: even if you firewall the "non-encrypted" ports you still
rely on zebedee AND vnc for the server security. Now it's clear, if
you have a hole in VNC OR in zebedee the server security is gone. On
the other hand, if you have a vpn+vnc or ssh+vnc setup (and of course
you firewall the vnc port, this is the first thing to do if you use
ANY encrypted setup) then you have a problem only if you have a
problem with ssh (or whatever tunnel software you're using). In fact
a normal server (without anyone connecting to it) will be
safer with normal vnc than with zvnc. And I am not talking about any
bugs, only about the model.
Now, about the encryption. I don't have time to investigate in
details, but looks like there is no authentification between the
server and client. I mean the client doesn't know who is talking to.
Most people think it's simpler to sniff some traffic; actually in
most cases it's easier to impersonate the server (and in most cases if
the attacker can sniff the traffic he can also hijack a connection or
impersonate the server). And of course, if the attacker can
impersonate the server then it's game over in more than one way.
Bottom line: zvnc it's a bulletproof solution ? No. I wouldn't use it
to access for my home computer (leave aside the fact that it's windows
only). But there are people using plain vnc over internet, or win2k
machines without one patch, or setups like root / no password. I think
zvnc is better :-). Does zvnc has a future ? Probably yes, I would
say. I would prefer of course a trusted solution, like ssh (and you
get also file transfer capabilities, which are needed sooner or
later), but as we seen there is a need for a "all in one" tool.
Saturday, February 15, 2003, 22:11:47, Dave wrote:
DD> It's time for my periodic plug and plea for encryption support
DD> in the major branches of VNC.
DD> The plug: zvnc is a variant for windows which incorporates the
DD> same encryption as tunneling with zeebeedee into regular vnc. It's
DD> been in use for over a year now, with many users and no complaints.
DD> Unlike tunneling with zeebeedee or ssh, it's trivial to set up and use.
DD> See: http://home.attbi.com/~davedyer/znc/zvnc.html
DD> The plea: It's not my intent to start or support a new major branch
DD> of vnc. I took some pains to make this branch minimally invasive
DD> to the vnc sources - all the hair is in an external library based
DD> on zeebeedee. I fervently hope the maintainers of the main branches
DD> of vnc will give it a look.