The developers at AT&T have stated that they don't wish to include many
widely-requested features because they are better handled elsewhere.
Notable entries on the list include file transfer, sound, printing, and
encryption. While I agree with the first 3 from the "KISS" principle, the
last one raises some questions.
What is it that most users of VNC use VNC for? Remote access to their
desktop? Remote administration? In any and all of the above cases, a
typical usage scenario includes accessing VNC over a path which includes a
non-secured network, where a hacker or other nefarious person might gain
information they shouldn't, just by passively listening on the line.
This, and the recent fervor over the dangerously breakable authentication
mechanism leads me to suggest that it might be time to bring security into
VNC. Pair that with the common security-industry concern that non-integral
security is essentially no security at all, and I think it's time for some
of us to do some development. Commodity encryption layers like IPSEC are,
unfortunately, far from being common on every desktop.
Who's with me? I'd like to start talking about how we might put a thin but
solid security layer into VNC. In fact, I'm going to go and start
scratching around for ideas about how to do it. An early take is
essentially to add a new authentication method, and write a wrapper around
the current VNC protocol for the rest. Other approaches (IMHO, more
difficult to design/develop/deploy) would be to add an "encoding", or
somehow negotiate it with run-time client messages.
I want to stir up a discussion, but I think the specifics of development
might be better taken elsewhere. Any developers out there want to help me?
----------
Bryan Pendleton
ICQ: 2680952
Phone: (877)780-3087
"The root of all knowledge lies within, but knowledge is useless unless it
is collected and shared."
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
