Secure VNC

William Hooper whooper "at" freeshell.org
Fri Mar 12 00:03:01 2004


Mike Miller said:
> On Thu, 11 Mar 2004, Scott C. Best wrote:
>
>> 	Heya. Here's some info I've collected over the years regarding
>> securing VNC connections:
>>
>> http://faq.gotomyvnc.com/fom-serve/cache/28.html
>
>
> But that page says that VNC communicates in "plain text" and I've been
> told repeatedly that it is using some sort of X protocol that is not plain
> text.  It's not encrypted, but it isn't plain text either.  This is
> important because any sniffer could easily read any plain text, but it
> takes a little work to read the VNC communications.

Don't kid yourself, it is trivial.
http://users.tpg.com.au/adsln4yb/chaosreader.html

In fact, the author gives the impression getting the VNC data is easier
than getting plain X11 data.

> More importantly, the
> password is encrypted -- some would say that it isn't encrypted very well,
> but it is encrypted.

Yes, the password verification is a "challenge-response password scheme". 
Everything after that is free for the taking.

-- 
William Hooper