Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: https://forum.uvnc.com/viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
Risk of VNC
Risk of VNC
This is really more of a general VNC question than UltraVNC, but I ask it here as I am using UltraVNC and there could possibly be specific issues.
It is said to be risky to expose a machine running VNC to the Internet at large in case of hacking, being safer to use a Virtual Private Network or other secure connection.
There would appear to be two risks:
1 Somebody finding an open VNC port and making a connection. As I see it, a sensible password should be very good protection against this; nobody is likely to connect if the password is erj4r85#ekr74j or 4hezajollygoodfella9.
2. Interception of unencrypted data. I don't know how real a problem this is in a non-critcal network. I can envisage a user checking a confidential client list over a VNC connectioin. An unauthoried interceptor could work out that this is a VNC connection, but would then have to find out what encodig was used; and would have to identify the user's competitiitors to sell them the client list. Frankly, if I wanted to know Acme Industries' secrets it would be easier to seduce or bribe the CEO's PA. But maybe I underestimate the problem?
The reason for this question: I have quickly compared performance of VNC over an open and a VPN connection. over 512/256kbps ADSL. A zipped file transfers at about 29/26 kB/sec (10% performance hit, which is acceptable to me). But viewing a Windows screen is MUCH more responsive over an open than a VPN connection.
How do we weight the increased performance against the increased risk?
It is said to be risky to expose a machine running VNC to the Internet at large in case of hacking, being safer to use a Virtual Private Network or other secure connection.
There would appear to be two risks:
1 Somebody finding an open VNC port and making a connection. As I see it, a sensible password should be very good protection against this; nobody is likely to connect if the password is erj4r85#ekr74j or 4hezajollygoodfella9.
2. Interception of unencrypted data. I don't know how real a problem this is in a non-critcal network. I can envisage a user checking a confidential client list over a VNC connectioin. An unauthoried interceptor could work out that this is a VNC connection, but would then have to find out what encodig was used; and would have to identify the user's competitiitors to sell them the client list. Frankly, if I wanted to know Acme Industries' secrets it would be easier to seduce or bribe the CEO's PA. But maybe I underestimate the problem?
The reason for this question: I have quickly compared performance of VNC over an open and a VPN connection. over 512/256kbps ADSL. A zipped file transfers at about 29/26 kB/sec (10% performance hit, which is acceptable to me). But viewing a Windows screen is MUCH more responsive over an open than a VPN connection.
How do we weight the increased performance against the increased risk?
Just use the 128 Bit RC4 encryption plugin. http://home.comcast.net/%7Emsrc4plugin/
This plugin encrypt the whole transfered data so nobody can analyze it.
If you change your 128 Bit Key from time to time it should be very secure if the algorith is implemented correctly.
Don't forget to secure your RC4 key. Don't send it unencrypted per Mail or over Internet. The best way is to create it on the server and copy it on a usb stick or floppy disk. If you want to connect to your remote desktop put the medium in your client pc load the key with the viewer and connect.
Needless to say, if you use your client pc on your own and have no trojans or other telephoning programs installed you can store it on your disk.
CU
Mr Faber
This plugin encrypt the whole transfered data so nobody can analyze it.
If you change your 128 Bit Key from time to time it should be very secure if the algorith is implemented correctly.
Don't forget to secure your RC4 key. Don't send it unencrypted per Mail or over Internet. The best way is to create it on the server and copy it on a usb stick or floppy disk. If you want to connect to your remote desktop put the medium in your client pc load the key with the viewer and connect.
Needless to say, if you use your client pc on your own and have no trojans or other telephoning programs installed you can store it on your disk.
CU
Mr Faber
In my company
Hi All, I am not a user of this programmes. But my boss installed it on my desktop. I wonder if he can retrieve my files or some private files secretly. Anyone can tell how to observe and get aware if my pc is "hacked".
Thanks a lot!
Thanks a lot!
Re: Risk of VNC
Defense in depth. Simply use VNC over the VPN connection. it's encryped and quicker than a file copy.pol098 wrote:
The reason for this question: I have quickly compared performance of VNC over an open and a VPN connection. over 512/256kbps ADSL. A zipped file transfers at about 29/26 kB/sec (10% performance hit, which is acceptable to me). But viewing a Windows screen is MUCH more responsive over an open than a VPN connection.
How do we weight the increased performance against the increased risk?
Somebody commented:
> Defense in depth. Simply use VNC over the VPN connection. it's encryped and quicker than a file copy.
We have come full circle from my original post. Remote control over UltraVNC 18 is much less responsive over a VPN than it is over a straight connection to the remote IP, although file transfer is only 10% slower. In fact, I have people who insist on using an open (not VPN) connection for this reason. Having a VNC server waiting for someone, anyone, to login makes me nervous; but, in practice, is a VNC server visible on the internet but with a good password seriously at risk?
> Defense in depth. Simply use VNC over the VPN connection. it's encryped and quicker than a file copy.
We have come full circle from my original post. Remote control over UltraVNC 18 is much less responsive over a VPN than it is over a straight connection to the remote IP, although file transfer is only 10% slower. In fact, I have people who insist on using an open (not VPN) connection for this reason. Having a VNC server waiting for someone, anyone, to login makes me nervous; but, in practice, is a VNC server visible on the internet but with a good password seriously at risk?
Wide open. VNC has been used by crackers and script kiddies once they have taken over the system. All that needs to happen is for a packet caspture to chatch your login and they can crack the password.pol098 wrote:Having a VNC server waiting for someone, anyone, to login makes me nervous; but, in practice, is a VNC server visible on the internet but with a good password seriously at risk?
So if your comfortable with telnet over the Internet, and have not considered ssh...
Well cross your fingers. BTW there is an OpenSSH for windows and Cygwin also includes OpenSSH. Both support OpenSSH services that allow you to ssh into your windows systems.
Leonard Isham, CISSP
Ostendo non ostento.
As the original poster, many thanks:
> Wide open. VNC has been used by crackers ...
A useful reminder.
>... ssh...OpenSSH ...
I have been using Draytek Vigor routers which have Virtual Private Networking (VPN) support built in (as distinct from passed through, so no machine need to run VPN server software).
> Wide open. VNC has been used by crackers ...
A useful reminder.
>... ssh...OpenSSH ...
I have been using Draytek Vigor routers which have Virtual Private Networking (VPN) support built in (as distinct from passed through, so no machine need to run VPN server software).
secret keys
Well you are more secure if you change the key periodically. It takes time to break the encryption, but once you do you have the key, you have everything until the key is changed.bradstar wrote:so if you are using the rc4 key to enrypt the traffic...
P.S. if you use a broken key to send a new key the person that broke the first key would have the new key.