Back to Top

Friday, January 04, 2008

VNC - (almost) zero security

I mentioned it previously, but just wanted to be sure that everyone has seen this:

  • the "standard" VNC protocol does not offer any encryption of the data (ie. using a packet capture you can reconstruct the screen content and the action of the user). There are unofficial extensions, but they are not widely supported
  • During "authentication" only the first 8 characters are considered (which makes it quite easy to brute-force)

What you should do:

  • tunnel all VNC traffic through something with a stronger encryption (like SSH or VPN)
  • make sure that the VNC server is never bound to Internet facing interfaces (only to VPN interfaces or localhost accessed through a SSH tunnel)
  • not use VNC at all :-)


Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.