How secure is VNC over the internet?

[geno]

I've used it many times over LAN without a problem, but how secure is VNC if I were to leave the server running on my box at school, and I access it here from work?

 

[Bulk Beef]

Text

VNC uses a random challenge-response system to provide the basic authentication that allows you to connect to a VNC server. This is reasonably secure; the password is not sent over the network. Once you are connected, however, traffic between the viewer and the server is unencrypted, and could be snooped by someone with access to the intervening network. We therefore recommend that if security is important to you, you 'tunnel' the VNC protocol through some more secure channel such as SSH.

 

[geno]

ah, awesome

thanks for the info, now to find out how to tunnel something securely between two XP boxes

 

[Shockwave]

Originally posted by: sward666
Text

VNC uses a random challenge-response system to provide the basic authentication that allows you to connect to a VNC server. This is reasonably secure; the password is not sent over the network. Once you are connected, however, traffic between the viewer and the server is unencrypted, and could be snooped by someone with access to the intervening network. We therefore recommend that if security is important to you, you 'tunnel' the VNC protocol through some more secure channel such as SSH.

Its essentially like that for every network on the planet. If you have the equipment, and access to the transmission medium being used, you can analyze it.
So, I personally wouldnt hesitate to use VNC, although I also dont have anything so critical on my box that I would be in trouble if someone got in. Well, other then the RIAA of course...

 

[m2kewl]

use with vpn or ssh. vnc w/o encryption = bad!

 

[SaigonK]

VNC is totally unsecure, so is remote desktop. They are both clear text applications.
get VPN, SSH, SSl and you should be fine.

 

[Soybomb]

Originally posted by: Shockwave

Originally posted by: sward666
Text

VNC uses a random challenge-response system to provide the basic authentication that allows you to connect to a VNC server. This is reasonably secure; the password is not sent over the network. Once you are connected, however, traffic between the viewer and the server is unencrypted, and could be snooped by someone with access to the intervening network. We therefore recommend that if security is important to you, you 'tunnel' the VNC protocol through some more secure channel such as SSH.

Its essentially like that for every network on the planet. If you have the equipment, and access to the transmission medium being used, you can analyze it.
So, I personally wouldnt hesitate to use VNC, although I also dont have anything so critical on my box that I would be in trouble if someone got in. Well, other then the RIAA of course...

I would hesitate but I use ssh instead of telnet too. Analyze it all you want. mmm 256bit AES

 

[Entity]

Doesn't TightVNC solve the problem of unsecure connections?

Rob

 

[freegeeks]

i just tunnel my VNC data into a SSH tunnel

 

[elanarchist]

Originally posted by: Entity
Doesn't TightVNC solve the problem of unsecure connections?

Rob

Straight from the TightVNC FAQ

How secure is TightVNC?
Although TightVNC encrypts passwords sent over the net, the rest of the traffic is sent as is, unencrypted (for password encryption, VNC uses a DES-encrypted challenge-response scheme, where the password is limited by 8 characters, and the effective DES key length is 56 bits). So using TightVNC over the Internet can be a security risk. To solve this problem, we plan to work on built-in encryption in future versions of TightVNC.

In the mean time, if you need real security, we recommend installing OpenSSH, and using SSH tunneling for all TightVNC connections from untrusted networks.

 

[glugglug]

The data itself in VNC is not encypted unless you tunnel it through SSH. Getting it tunneled on the WinXP server side will be a PITA.

Remote Desktop encrypts EVERYTHING in the connection, and is orders of magnitude faster than VNC. It may be a M$ product, but in this case, the security is actually better than VNC.