noVNC + UltraVNC Repeater security
416 views
Skip to first unread message
Denis Lochman
Mar 14, 2018, 9:59:37 AM3/14/18
to noVNC
Hi,
I'm working on this one project and I'm using noVNC and UltraVNC Repeater to make this web browser remote control solution. My biggest concern now is that when connecting to a remote machine through UltraVNC Repeater (or repeater in general I guess), you don't need to type password. Problem is that if you know the IP address of the repeater and ID of a remote machine, you can use UltraVNC's native client to connect to this machine. One solution to this is to use the encryption plugin, that UltraVNC recommends. Then you get password prompt, but also noVNC stops working.
Not sure whether I should be asking this here or on UltraVNC Forums or should be asking at all. But is there any way how to make this more secure? Like enabling noVNC to work with UltraVNC's encryption plugin?
Thanks.
Pierre Ossman
Mar 14, 2018, 11:34:23 AM3/14/18
to no...@googlegroups.com, Denis Lochman
On 14/03/18 14:59, Denis Lochman wrote:
>
> Not sure whether I should be asking this here or on UltraVNC Forums or
> should be asking at all. But is there any way how to make this more secure?
> Like enabling noVNC to work with UltraVNC's encryption plugin?
>
We would need a protocol specification if we are to implement some new
>
> Not sure whether I should be asking this here or on UltraVNC Forums or
> should be asking at all. But is there any way how to make this more secure?
> Like enabling noVNC to work with UltraVNC's encryption plugin?
>
additions for noVNC, so for that you would need to ask the UltraVNC
people. After that we can have a look at it here.
Note though that encryption is not the easiest to get working well in
Javascript, so that approach might be problematic for us.
Regards
--
Pierre Ossman Software Development
Cendio AB https://cendio.com
Teknikringen 8 https://twitter.com/ThinLinc
583 30 Linköping https://facebook.com/ThinLinc
Phone: +46-13-214600 https://plus.google.com/+CendioThinLinc
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Message has been deleted
Message has been deleted
Pierre Ossman
Mar 15, 2018, 7:48:03 AM3/15/18
to no...@googlegroups.com, Denis Lochman
On 14/03/18 17:16, Denis Lochman wrote:
> Yeah, thought so, I'm just a little desperate. It's pretty big issue I
> feel. I found UltraVNC Repeater source code on UltraVNC website, so maybe
> implementing some authentification would be possible.
>
> Since we are talking about security, may I slip in one more question? I'm
> using Let's Encrypt certificate. Can I use this certificate with
> websockify? If yes, how would one do that? I tried using this certificate
> exported from Windows and I keep getting this message:
>
> handler exception: [SSL] PEM lib (_ssl.c:2603)
>
OpenSSL isn't known for fantastic error messages unfortunately. Perhaps
your certificate or key isn't in PEM format? They should be normal text
files.
Is the key password protected? That isn't supported.
> Yeah, thought so, I'm just a little desperate. It's pretty big issue I
> feel. I found UltraVNC Repeater source code on UltraVNC website, so maybe
> implementing some authentification would be possible.
>
> Since we are talking about security, may I slip in one more question? I'm
> using Let's Encrypt certificate. Can I use this certificate with
> websockify? If yes, how would one do that? I tried using this certificate
> exported from Windows and I keep getting this message:
>
> handler exception: [SSL] PEM lib (_ssl.c:2603)
>
OpenSSL isn't known for fantastic error messages unfortunately. Perhaps
your certificate or key isn't in PEM format? They should be normal text
files.
Is the key password protected? That isn't supported.
Denis Lochman
Mar 15, 2018, 10:44:16 AM3/15/18
to noVNC
Yeah I guess the certificate was in wrong format. I was trying to export the certificate from Windows Certificate Manager, which was incorrect. Then I found the right certificate files in let's encrypt-win-simple folder. I also did a mistake by accessing the server by it's IP address (instead of domain). It should be ok now, only encrypted connections are allowed and noVNC says it's encrypted connection.
Reply all
Reply to author
Forward
0 new messages