Security Basics mailing list archives

RE: Remote access solution

From: "Fields, James" <James.Fields () bcbsfl com>
Date: Thu, 27 Feb 2003 07:32:36 -0500

I had started to type up what I thought VNC does on login; then I decided to
simply post this link.  It should answer any question about security around
the initial authentication:

http://www.uk.research.att.com/vnc/faq.html#q55


-----Original Message-----
From: Chris Berry [mailto:compjma () hotmail com] 
Sent: Wednesday, February 26, 2003 1:15 PM
To: security-basics () securityfocus com
Subject: Re: Remote access solution

From: "Mike Jensen" <jenseses () hotmail com>
One thing to keep in mind when using VNC is that even though the inital 
authentication may be secure, anything you type while controlling the 
computer is sent in plain text.  So, if you were to connect to a windows 
machine, for example, then login to or unlock the screen on that machine , 
that password you type is sent across the network in the clear.
Or, you type in your password to check your e-mail on that computer; again,

your password is sent in the clear.

I've always recommended tunneling the whole VNC session through some type 
of encryption method.  (I prefer VPNs)


Actually, I don't think even the initial authentication is secure, you 
should definitely use some sort of encryption (ssh or vpn or both)  
Personally I'd say ssh is fine when you're connecting from one interior 
computer to another, but if you're going to connect from home or something 
I'd say tacking a vpn on top would be a good idea.

Chris Berry
compjma () hotmail com
Systems Administrator
JM Associates

"Linux and I have a love/hate relationship.  I hate its complexity until I 
figure out how something works, then I love its power."

_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE*  
http://join.msn.com/?page=features/junkmail




Blue Cross Blue Shield of Florida, Inc., and its subsidiary and 
affiliate companies are not responsible for errors or omissions in this e-mail message. Any personal comments made in 
this e-mail do not reflect the views of Blue Cross Blue Shield of Florida, Inc.

Current thread:

RE: Remote access solution, (continued)
- RE: Remote access solution Michael Parker (Feb 22)
- RE: Remote access solution Chris Berry (Feb 22)
- Re: Remote access solution Chris Berry (Feb 25)
  - RE: Remote access solution Michael Whang (Feb 26)
- Re: Remote access solution Chris Berry (Feb 25)
  - Re: Remote access solution Mike Dresser (Feb 26)
  - RE: Remote access solution James Butcher (Feb 26)
- Re: Remote access solution Mike Jensen (Feb 26)
- Re: Remote access solution Chris Berry (Feb 26)
- Re: Remote access solution Chris Berry (Feb 26)
- RE: Remote access solution Fields, James (Feb 27)