Further to the questions below, the reason why this is even a concern is because I use applications over VNC that asks for various passwords. Most of the time, the keystrokes echoed bach are just "*", but anyone watching the information from server to viewer can't get the password. But what about the key strokes sent by the viewer to the server? My understanding is that they are not encrypted, since VNC only encrypts the password for the viewer's connection to the server. If all other keystrokes are unencrypted, then the caution below is certainly well warranted simply because you're typing your various other passwords for the world to see. If not, then the risk would be determined the confidential nature of the work being done the over VNC connection.
Fred "fred (Please remove 1st F from my email)" wrote: > Hi, > > I'm using the procedure of > http://www.uk.research.att.com/vnc/sshwin.html > When initiating the ssh connection, Stajano > suggests against blindly accepting the public key > fingerprint presented by the host computer at the > far end. He says that you should first physically > go to the computer at the far end and get the > public key finger print written on paper so that > you can confirm that you're connecting the the > right host rather than a pretender. > > This sometimes presents a problem because > the host I connect to is not always up. All of a > sudden I have to connect to different host at > the far end, one for which I don't have the > public key fingerprint. I've telnetted into the > host, but then thought better of querying the > host for a public key fingerprint, since it would > be displayed over an insecure channel. It > would totally defeat the purpose of confirming > the host's public key fingerprint. > > Is this getting overly paranoid? How likely is > it that someone would be waiting right there > and right then to get the public key fingerprint > just to pretend to be the far-end host the next > time you connect? Would it be a reasonable > risk to query the host for its public key fingerprint > over an insecure telnet session, considering that > you never have to repeat the query and thus > never run the risk again? > > Fred --------------------------------------------------------------------- To unsubscribe, mail [EMAIL PROTECTED] with the line: 'unsubscribe vnc-list' in the message BODY See also: http://www.uk.research.att.com/vnc/intouch.html ---------------------------------------------------------------------
