UltraSam wrote:The problem of disabling DSM for the javaviewer is that we'd create a security weakness, making 50% of the DSM plugin advantage useless: [...]
Still, 50% of the communication (connects made with the "real" viewer) would be safe. As of now, whereever I want to make the javaviewer avaible on a vnc-server, I have to completely disable the DSMPlugin!
UltraSam wrote:[...]
DSMPlugin advantages:
1. All the connection communication is encrypted, even the initial handshaking (even before password/challenge negociation).
2. If the viewer doesn't have the good RC4 key file, it can't even establish the TCP connection. This way, the fact that the 8chars-max-VNC-password is weak is not important, because the step where this password is negociated is never reached without the good RC4 file.
If we enable the JavaViewer to connect without the DSM plugin, we just waste the point 2.
You can still encrypt your communication with the Win32 viewer + DSM, but the access to your UltraVNC server is only as protected as a "regular" VNC.
Why exactly would we waste point 2?
It´s mainly because there is no "good RC4-file" avaible to the java-viewer, isn´t it?
Possible solution:
RC4-files are so small they could simply be accesed just in time from any webspace avaible. This could be done by the server by asking for the URL of the RC4-file to use. This should be done after the connect is initiated by the viewer, but before the password is negociated.
Steps:
1. Type IP:Port into your browsers adress field
2. Server sends the certificate (if first time) / User accept it
3. Server prompt me for URL/Location of RC4-file
4. Server gets and verifies RC4
5. Server prompt for password using RC4
Second choice (accepting a weak java-viewer, but welcoming a secure "real-viewer"):
Isn´t it possible to include an additional checkbox "don´t use DSMPlugin with java-viewer" or as "suggested" by ULtraSam "use DSMPugin only for encrypting communication"?
I´m only a user, not a single clue about coding, so most certainly the task is much harder to implement than to expose it
SSL would be great by the way
![Smile :)](./images/smilies/_icon_smile.gif)