Christopher Mc Carthy
Tue Sep 16 17:33:00 2003
I'm a bit confused.
I currently use VNC (the Tight flavour) through an SSH tunnel, so I'm
not really concerned, but I thought (from other discussions found in the
archives) that VNC was *quite* secure as info/updates was/were sent over
the network as images (increasingly compressed, using either Tight or
the new VNC 4 encoding).
So this assumption is *wrong*, and any text typed in a VNC window is in
fact sent as plain text, and so *easily* tapped??? [[ this is what
"information entered into fields is transmitted as text inside the
packet" leads me to conclude ]].
Thanks for any definitive light on the subject.
>[mailto:firstname.lastname@example.org] On Behalf Of
>Sent: 16 September 2003 13:00
On Sun, Sep 14, 2003 at 01:51:58PM -0500, Mike Miller wrote:
>On Sat, 13 Sep 2003, Michael Herman wrote:
>> I would like to point out that VNC is not secure.
>> >From the realVNC FAQ:
>> > Is VNC secure?
>> >The only really secure computer is one without a network. VNC
>> >requires a password when a viewer tries to connect to a server. This
>> >is encrypted to deter snooping, but the following graphical data,
>> >protocol, is not.
>> In other words, if you are using VNC across the Internet without some
>> sort of tunnel (SSH, IPSEC, PPTP), you are exposing your data and
>> information to the world.
>> Please, please, please be careful.
>Thank you for your concern. I hear that it is possible for someone
>snooping network traffic to set up a program that will decode the VNC
>stream and allow them to see what I'm doing. Is that true? I think that
>most packet sniffing is limited to searching plain text for
>username/password. Am I wrong?
'Decoding' the packet stream isn't all that difficult. The information
entered into fields is transmitted as text inside the packet. Usernames,
passwords, credit card information, etc. will all be visible to a hacker
is looking for it.
Please don't think I am down on VNC. I think it is a great tool and I
all the time, both securely and insecurely. I think it is important to
remember that VNC does not provide a security mechanism other then the
encrypted password. It's also important to remember that most of the
(web, email, chat, news, etc) are insecure. You wouldn't give your
card on the web without HTTPS (encrypted, secure web page) would you?
I posted my original e-mail after an off-list discussion with someone
using Windows 98 on both the client and server, wanted to connect to
This person appeared to be, from their e-mail signature, an human
director for a company. HR people generally deal in confidential
information and I certainly would want the HR people at the company I
to not expose any information about me to the web without some security