By default, Vino requires insecure anonymous Diffie Hellman ciphers for encryption and is incompatible with Android 6+ devices
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
vino |
Unknown
|
Unknown
|
|||
vino (Ubuntu) |
Confirmed
|
Low
|
Unassigned |
Bug Description
Anonymous Diffie Hellman certificates do not provide identity verification (unlike x509 certificates). Therefore, while they provide link encryption, they do not guard against man-in-the-middle attacks. Google decided to drop support for these certificates in v6.0+ (API23):
https:/
This means that my application, bVNC, (open-source VNC client for Android, https:/
This forces me to recommend other VNC clients - x11vnc or TigerVNC - for users that need to encrypt their VNC connections on Android 6+. For more background, see:
https:/
Both x11vnc and TigerVNC support VeNCrypt (with x509 certificates that support identity verification), and in my opinion, it is time for Vino, as the standard remote desktop solution for Ubuntu, to also consider supporting a modern encryption technique.
In addition to x509 certificates, VeNCrypt also supports authenticating with a user name and an arbitrary length password, which means that if Vino so chooses, it can also utilize PAM and allow users to connect to their desktop machine with their actual Ubuntu credentials
Furthermore, if we want to get really fancy, this means that we could launch vino at start-up and even allow people to connect to their machine when nobody is logged in like Mac OS X permits with its VNC server.
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: vino 3.8.1-0ubuntu9
ProcVersionSign
Uname: Linux 4.4.0-31-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: XFCE
Date: Sat Aug 20 12:26:23 2016
InstallationDate: Installed on 2014-02-28 (903 days ago)
InstallationMedia: Ubuntu 12.04.4 LTS "Precise Pangolin" - Release amd64 (20140204)
SourcePackage: vino
UpgradeStatus: Upgraded to xenial on 2016-07-30 (21 days ago)
Status changed to 'Confirmed' because the bug affects multiple users.