I had the time to look into zvnc, and I found it to be "cool". It is indeed impressive, in terms of simplicity. However, this is one more proof that you cannot really "make encryption simple". But let's start with the beginning: the model. You have a tool which uses zebedee to tunnel tcp connections to vnc. What's wrong with this picture ? The problem is: even if you firewall the "non-encrypted" ports you still rely on zebedee AND vnc for the server security. Now it's clear, if you have a hole in VNC OR in zebedee the server security is gone. On the other hand, if you have a vpn+vnc or ssh+vnc setup (and of course you firewall the vnc port, this is the first thing to do if you use ANY encrypted setup) then you have a problem only if you have a problem with ssh (or whatever tunnel software you're using). In fact a normal server (without anyone connecting to it) will be safer with normal vnc than with zvnc. And I am not talking about any bugs, only about the model.
Now, about the encryption. I don't have time to investigate in details, but looks like there is no authentification between the server and client. I mean the client doesn't know who is talking to. Most people think it's simpler to sniff some traffic; actually in most cases it's easier to impersonate the server (and in most cases if the attacker can sniff the traffic he can also hijack a connection or impersonate the server). And of course, if the attacker can impersonate the server then it's game over in more than one way. Bottom line: zvnc it's a bulletproof solution ? No. I wouldn't use it to access for my home computer (leave aside the fact that it's windows only). But there are people using plain vnc over internet, or win2k machines without one patch, or setups like root / no password. I think zvnc is better :-). Does zvnc has a future ? Probably yes, I would say. I would prefer of course a trusted solution, like ssh (and you get also file transfer capabilities, which are needed sooner or later), but as we seen there is a need for a "all in one" tool. Saturday, February 15, 2003, 22:11:47, Dave wrote: DD> It's time for my periodic plug and plea for encryption support DD> in the major branches of VNC. DD> The plug: zvnc is a variant for windows which incorporates the DD> same encryption as tunneling with zeebeedee into regular vnc. It's DD> been in use for over a year now, with many users and no complaints. DD> Unlike tunneling with zeebeedee or ssh, it's trivial to set up and use. DD> See: http://home.attbi.com/~davedyer/znc/zvnc.html DD> The plea: It's not my intent to start or support a new major branch DD> of vnc. I took some pains to make this branch minimally invasive DD> to the vnc sources - all the hair is in an external library based DD> on zeebeedee. I fervently hope the maintainers of the main branches DD> of vnc will give it a look. _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] http://www.realvnc.com/mailman/listinfo/vnc-list
