Thanks for posting a nice overview, Scott. Though I've used vnc a bit, I've only used it on a small, safe LAN, so I haven't looked at the security issues closely before. I wonder if you could clarify a couple of things.
First, when you write ... > >3. Unlike telnet and others, the connection password is not sent > entirely in clear text. ... what does the qualifier "entirely" signify? Can the VNC password be sniffed or not? Second, once you are connected, my understanding is that the connection itself is unencrypted. So, to pick the troubling example, if you are connected as someuser, and you su to root in an xterm window, the root password travels in the clear. Am I wrong in any of this understanding? Third, the concept of being logged in as a particular user has meaning for Linux and newer versions of Windows. But not older versions of Windoes, such as Win98, which has no real premissions controls. These considerations all say to me that if you use VNC over the Internet, you should do it through a well-encrypted tunnel. (I'd say the same thing for other remote-control apps as well, of course, unless they have good, built-in encryption. Generally, I think even most sysadmins are too trusting ... but then, I always thought Fox Mulder was too trusting of the cigarette-smoking man too). At 09:26 PM 3/21/02 +0000, Scott C. Best wrote: > > Some quick feedback to the security-conscious hyperbole >about VNC that's flown across the list recently. In my experience, >it's not exactly true that VNC has "very little" in the way of >security. Some features it has (and I've used): [details deleted] -- ------------------------------------"Never tell me the odds!"--- Ray Olszewski -- Han Solo Palo Alto, CA [EMAIL PROTECTED] ---------------------------------------------------------------- _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
