RE: VNC Security

["Steve Bostedor" <Steveb () tshore com>]

A while back, we had a pretty long running and informative thread on VNC
security.  The only VNC that had real encryption built in was the
Enterprise version of RealVNC.  UltraVNC had a DSM plug-in but it was
pretty nasty to get working and was suffering from compatibility
problems.  On top of that, it was very difficult to deploy the UltraVNC
encryption remotely.

I believe that the solution to this on the Windows side is in the new
version of VNCScan at http://www.vncscan.com.  While I believe that this
version of VNC Scan makes UltraVNC encryption very easy to deploy and
use, I'd like to fire up this debate again to see if the ease of
encryption changes anyone's view on the security of VNC.

I would also like to know if there are any security concerns with the
UltraVNC DSM plug-in.  Is the encryption with this method considered as
secure to you as, say, running VNC through an SSH tunnel?  

Just for the record, I don't want to take any credit for the UltraVNC
encryption.  The people working on the open source UltraVNC are awesome
and they deserve a huge pat on the back for this plug-in.  The
contribution that is made with VNC Scan is to make the plug-in very easy
to deploy and use.  :)  

The scenario that I'd like to see people test against would be a Windows
XP or Windows 2000 computer running UltraVNC 1.0.0 server using MS
Windows authentication for VNC and employing the UltraVNC encryption.
If you choose to use VNC Scan to deploy this, these are simply check
boxes in the deployment wizard.

I am very interested in hearing if any security concerns are still out
there despite this new encryption scheme.

Thank you!

Steve Bostedor
http://www.vncscan.com
The Leader in VNC and Terminal Server Management