Mike Miller wrote: > > Here's a simple question: Why can't VNC server and viewer just use > established SSH protocols to communicate? Incorporate OpenSSH code into > the server and PuTTY (or whatever) code into the viewer. Isn't that > workable?
Then what happens when an exploit for OpenSSH is discovered? That's the problem with 'incorporating' OpenSSH into VNC, you've then got to keep that code in sync with any security fixes to OpenSSH, and that's suddenly more of a job. Also, openssh isn't a stand-alone package: [root@bychan src]# rpm -qR openssh rpmlib(VersionedDependencies) <= 3.0.3-1 initscripts >= 5.20 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(CompressedFileNames) <= 3.0.4-1 ld-linux.so.2 libcrypto.so.1 libc.so.6 libdl.so.2 libnsl.so.1 libutil.so.1 libz.so.1 libc.so.6(GLIBC_2.0) libc.so.6(GLIBC_2.1) libc.so.6(GLIBC_2.1.3) libc.so.6(GLIBC_2.2) Leaving aside the initscripts, ld, various libcs and libdl, that's libcrypto (from openssl for crypto routines, natch) and libz (zlib compression). Now libz has had a security update in the past 12 months after a double-free problem, and openssl has also had vulnerabilities recently. All of a sudden, VNC developers have to keep up with three other codebases. Also, *implementing* crypto properly, even if starting from others' code, is *damn difficult* - and probably not something you want to be dabbling with if it's not your forte. There are plenty of encrypting windows versions of VNC to be had, but unless somebody's got a really good idea about incorporating encryption in the RealVNC cross-platform codebase, I'd rather leave it out. -- Illtud Daniel [EMAIL PROTECTED] Uwch Ddadansoddwr Systemau Senior Systems Analyst Llyfrgell Genedlaethol Cymru National Library of Wales Yn siarad drosof fy hun, nid LlGC - Speaking personally, not for NLW _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] http://www.realvnc.com/mailman/listinfo/vnc-list
