Hi list and Bryan.
I really think a lot of why VNC doesn't have built in openssl encryption is
the organic need to make thing difficult thereby requiring one to be a
propeller-head to use it.
It is usually the people who want to profit by a technology--that see the
need to find easy solutions--who take it to the "next level" (i.e. WinZip
over infozip).
Making encryption easy violates the clique.
Doug.
----- Original Message -----
From: "Bryan A. Pendleton" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, January 24, 2001 5:28 PM
Subject: Stream encryption - is it time?
> The developers at AT&T have stated that they don't wish to include many
> widely-requested features because they are better handled elsewhere.
> Notable entries on the list include file transfer, sound, printing, and
> encryption. While I agree with the first 3 from the "KISS" principle, the
> last one raises some questions.
>
> What is it that most users of VNC use VNC for? Remote access to their
> desktop? Remote administration? In any and all of the above cases, a
> typical usage scenario includes accessing VNC over a path which includes a
> non-secured network, where a hacker or other nefarious person might gain
> information they shouldn't, just by passively listening on the line.
>
> This, and the recent fervor over the dangerously breakable authentication
> mechanism leads me to suggest that it might be time to bring security into
> VNC. Pair that with the common security-industry concern that non-integral
> security is essentially no security at all, and I think it's time for some
> of us to do some development. Commodity encryption layers like IPSEC are,
> unfortunately, far from being common on every desktop.
>
> Who's with me? I'd like to start talking about how we might put a thin but
> solid security layer into VNC. In fact, I'm going to go and start
> scratching around for ideas about how to do it. An early take is
> essentially to add a new authentication method, and write a wrapper around
> the current VNC protocol for the rest. Other approaches (IMHO, more
> difficult to design/develop/deploy) would be to add an "encoding", or
> somehow negotiate it with run-time client messages.
>
> I want to stir up a discussion, but I think the specifics of development
> might be better taken elsewhere. Any developers out there want to help me?
>
> ----------
>
> Bryan Pendleton
<snip>
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
