I acknowledge that knowing the version of VNC running on the computer could help a hacker know what exploits to try on your system first, but security by obscurity is never the answer and just hiding the version doesn't take the vulnerability away. Hence, it is not a significant increase in security risk to advertise the version id you are already advertising the port. This feature would do so much more help than any hypothetical risk. I really hope that it becomes standard in future versions.
- Steve Bostedor http://www.vncscan.com -----Original Message----- From: William Hooper [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 18, 2003 2:38 PM To: [EMAIL PROTECTED] Subject: RE: Wish: Version Query > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Steve Bostedor > Ya know, it'd be cool if there was a way to connect to the > VNC port on a computer, issue a command, and get back the > flavor and version that is running on that computer. If > anybody feels like adding new features to VNC, this would be awesome! > > -Steve Bostedor For this to be useful EVERY version of VNC would need to include it, so older versions would still be unknown. This would also be a unnecessary security risk. If you know what flavor/version of VNC is running you can use a (hypothetical) exploit against people that haven't updated. Assuming all the versions conform to the VNC spec, the clients and servers can be interchanged with a basic level of compatibility without this information. -- William Hooper _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] http://www.realvnc.com/mailman/listinfo/vnc-list _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] http://www.realvnc.com/mailman/listinfo/vnc-list
