hype-free: VNC - (almost) zero security

Friday, January 04, 2008

VNC - (almost) zero security

I mentioned it previously, but just wanted to be sure that everyone has seen this:

the "standard" VNC protocol does not offer any encryption of the data (ie. using a packet capture you can reconstruct the screen content and the action of the user). There are unofficial extensions, but they are not widely supported
During "authentication" only the first 8 characters are considered (which makes it quite easy to brute-force)

What you should do:

tunnel all VNC traffic through something with a stronger encryption (like SSH or VPN)
make sure that the VNC server is never bound to Internet facing interfaces (only to VPN interfaces or localhost accessed through a SSH tunnel)
not use VNC at all :-)

0 comments:

Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.

Using the embedded comment form requires JavaScript to be turned on for the blogger.com domain. However, you can still comment using the traditional method.