VNC and SSL

Orin Eman orin@drizzle.com
Wed Jul 30 19:41:01 2003


Depends on how the jave viewer got to the client machine.
I suppose there could be a trojan version lying around...,
but there could be of the binary viewer too.

The LapLink version uses SSL to download the jar file too,
so there shouldn't be a problem if you have a real certificate
on the host.  If it's using a self-signed certificate,
then the browser usually throws up a bunch of warnings (if not,
then it's your fault for not configuring the browser's security correctly).
Really, ssh isn't usually any better if the client machine is one
that you don't control.

Orin.

> ----- Original Message ----- 
> From: "Beerse, Corni" <c.beerse@torex-hiscom.nl>
> To: "'Dominik Stok?osa'" <osa@man.poznan.pl>; <vnc-list@realvnc.com>;
> <listbox_8811@hotmail.com>
> Sent: Tuesday, July 29, 2003 4:29 AM
> Subject: RE: VNC and SSL
> [snip]
> > If you need to use ssl, then security is required.
> > If  security is required, then you should not use the java viewer. Having
> > the java viewer active is kind of like having the ladder out at night. Its
> > like giving the hackers the tool they need.
> >
> > If you need access over a public network, use the binary viewer for your
> > desktop.
> 
> Why again is the JavaViewer more insecure than the native client? After all,
> it's just a jar file that connects to the same exact port as the native
> client. Perhaps having the webserver would be a risk, but you could have
> apache serve the applets (as long as it appears to be on the same machine).
> 
> Rach
> _______________________________________________
> VNC-List mailing list
> VNC-List@realvnc.com
> To remove yourself from the list visit:
> http://www.realvnc.com/mailman/listinfo/vnc-list