Secure VNC

Mike Miller mbmiller "at" taxa.epi.umn.edu
Fri Mar 12 01:08:00 2004


On Thu, 11 Mar 2004, William Hooper wrote:

> Mike Miller said:
>
> > But that page says that VNC communicates in "plain text" and I've been
> > told repeatedly that it is using some sort of X protocol that is not
> > plain text.  It's not encrypted, but it isn't plain text either.
> > This is important because any sniffer could easily read any plain
> > text, but it takes a little work to read the VNC communications.
>
> Don't kid yourself, it is trivial.
> http://users.tpg.com.au/adsln4yb/chaosreader.html
>
> In fact, the author gives the impression getting the VNC data is easier
> than getting plain X11 data.

In other words, there is a continuum of difficulty and VNC is harder to
get than is plain text (e.g., telnet).



> > More importantly, the password is encrypted -- some would say that it
> > isn't encrypted very well, but it is encrypted.
>
> Yes, the password verification is a "challenge-response password
> scheme".  Everything after that is free for the taking.


How secure is that password exchange?  Has anyone developed a way to crack
it?

Mike