Brett Parker wrote:
On Thu, May 25, 2006 at 11:46:10AM +0100, David Simon Cooper wrote:
Err, I think you'll find the initial password also travels over the net unencrypted. It certainly used to.
Cheers,
Hey Brett, from Real VNC
"VNC Free Edition and older VNC 3 based systems support a simple challenge-response protocol used to verify a password of up to eight characters, supplied by the connecting user. While this avoids exposing the password to attackers as would be the case with pure plaintext protocols such as telnet, the rest of the session is unencrypted and so anything typed into the viewer passes "in the clear" to the server. VNC Free Edition is therefore suitable for use within a local network or secure VPN, but not for general use over untrusted networks, such as the Internet."
They don't promote the use over the internet, but then we know that. I am wondering, when they say challenge-response do you think it means the response is not exncrypted? It would be pretty pointless not sending the password in the challenge incase it gets intercepted but all password tries in the response are left as plain text?
I am assuming the response password is sent as some kind of encrypted value rather than just characters.