Re: automatic encryption
Tue Feb 18 20:09:01 2003
I think Most people here understand the limitations of this encryption,
but I think a great many of us are just looking to not have passwords
going out in plain text. Right now, I believe that deploying ssh in a
windows environment is not feasible on a corporate level. When I can
double click on a vnc icon and it will connect using an ssh tunnel, and
when I feel that Cgywin is cleaned up enough and I don't think it poses
security problems I might set it up. For now at least zvnc is slightly
Of course I would really like to see a plugin for ultravnc which I am
planning on deploying around version 1.1
From: email@example.com [mailto:firstname.lastname@example.org]
Sent: Tuesday, February 18, 2003 4:15 AM
Subject: Re: automatic encryption
I had the time to look into zvnc, and I found it to be "cool". It is
indeed impressive, in terms of simplicity. However, this is one more
proof that you cannot really "make encryption simple". But let's start
with the beginning: the model. You have a tool which uses zebedee to
tunnel tcp connections to vnc. What's wrong with this picture ? The
problem is: even if you firewall the "non-encrypted" ports you still
rely on zebedee AND vnc for the server security. Now it's clear, if you
have a hole in VNC OR in zebedee the server security is gone. On the
other hand, if you have a vpn+vnc or ssh+vnc setup (and of course you
firewall the vnc port, this is the first thing to do if you use ANY
encrypted setup) then you have a problem only if you have a problem with
ssh (or whatever tunnel software you're using). In fact a normal server
(without anyone connecting to it) will be safer with normal vnc than
with zvnc. And I am not talking about any bugs, only about the model.
Now, about the encryption. I don't have time to investigate in details,
but looks like there is no authentification between the server and
client. I mean the client doesn't know who is talking to. Most people
think it's simpler to sniff some traffic; actually in most cases it's
easier to impersonate the server (and in most cases if the attacker can
sniff the traffic he can also hijack a connection or impersonate the
server). And of course, if the attacker can impersonate the server then
it's game over in more than one way.
Bottom line: zvnc it's a bulletproof solution ? No. I wouldn't use it to
access for my home computer (leave aside the fact that it's windows
only). But there are people using plain vnc over internet, or win2k
machines without one patch, or setups like root / no password. I think
zvnc is better :-). Does zvnc has a future ? Probably yes, I would say.
I would prefer of course a trusted solution, like ssh (and you get also
file transfer capabilities, which are needed sooner or later), but as we
seen there is a need for a "all in one" tool.
Saturday, February 15, 2003, 22:11:47, Dave wrote:
DD> It's time for my periodic plug and plea for encryption support in
DD> the major branches of VNC.
DD> The plug: zvnc is a variant for windows which incorporates the same
DD> encryption as tunneling with zeebeedee into regular vnc. It's been
DD> in use for over a year now, with many users and no complaints.
DD> Unlike tunneling with zeebeedee or ssh, it's trivial to set up and
DD> See: http://home.attbi.com/~davedyer/znc/zvnc.html
DD> The plea: It's not my intent to start or support a new major branch
DD> of vnc. I took some pains to make this branch minimally invasive to
DD> the vnc sources - all the hair is in an external library based on
DD> zeebeedee. I fervently hope the maintainers of the main branches of
DD> vnc will give it a look.
VNC-List mailing list