6 million $ question....

[S. I. Becker]

Adrian Powell wrote:
> Is Real VNC considered current safe enough (generally) to use across the
> internet ?.

Free edition: NO!  It is not encrypted, and although the password is 
checked securely, you can only have a password of a maximum length of 8 
characters.  Any keypresses (for typing passwords, etc.) you send within 
the session are send "in the clear."  Similarly, if the work you are 
doing on screen is sensitive, that is not encrypted.  However, you can 
tunnel VNC through a VPN or SSH connection.  Try googling "VNC and SSH 
HOWTO" or "VNC and VPN HOWTO" for details on how to go about this.

It is my understanding that RealVNC Personal edition and Enterprise 
edition address these issues. There are also variants on different 
versions of RealVNC Free edition that have encryption added in, such as 
VeNCrypt, maintained by myself and Martin Koegler. See 
http://sourceforge.net/projects/vencrypt for details.

> Googling for VNC exploits appears to imply that there have been many
> vulnerabilities
> in the past,  and having free source code available only compounds the
> security risk.

Open source does not make it any more/less secure than any other 
solution.  Many security schemes are open, either from open source 
implementations or the algorithm is publicly known.  There is no 
security in hiding your method  - considerably less in fact, since that 
means fewer people can analyse the situation.  For example, ssh is open 
source but considered a very secure mechanism.

Stewart Becker