Jason Montleon wrote: >Imagine starting up VNC, having no intention of opening port 59xx, and >intending to use SSH tunneling to connect to the service. > >You think you're being more diligent only to later find out the service >is actually exposed by the default firewall policy.
When I looked at VNC many years ago it was one of those programs that think "I don't need to bother with security. Someone else makes me secure somehow. I don't know how and I don't care.". Your wording suggests that the VNC you refer to still works that way. You have to be very careful and know exactly what you're doing if you use such programs. That "someone else" who makes them secure, that's you, the user, because no one else is doing it. If you fail to check whether you have a packet filter, then you're not being careful enough. The problem isn't that you're careless. The insecure program is the problem. Programs like that should come with big red warning labels saying not to touch them unless you know exactly what you're doing – but they don't, because they assume that someone else takes care of everything security-related. The better solution is for VNC to take responsibility for its own security. It could do so by using TLS, by integrating with SSH, or by requesting IPsec from the operating system. It should refuse to communicate without one of those encryption protocols, or at the very least require the user to explicitly turn off security. These days there seem to be several VNC variants that support some form of encryption. I don't know what their defaults are, but maybe some of them are responsible enough to not communicate insecurely. Björn Persson
pgpDFpPj_Lm6p.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
