mailing list archives
Re: VNC viewers: Clipboard of host automatically sent to remote machine
From: Giles Coochey <giles () coochey net>
Date: Tue, 24 Jan 2012 19:44:41 +0000
On 24/01/2012 19:20, Ben Bucksch wrote:
On 24.01.2012 20:08, Giles Coochey wrote:
I have seen this is an often requested feature
Yes, I understand. It can be highly useful. That's why I proposed to
make a "Paste" button in the main toolbar (probably with a keyboard
shortcut, too). So, the user would have to press one more button / key
(3 actions instead of 2) to for the information to travel to the remote
host. Compared to the risk, I think that's an acceptable tradeoff.
Please tell me that you have never ever copied a password (or anything
else highly sensitive) using the clipboard.
I have done this, and I have understood the risks.
In my personal experience there was a case (a CDE - credit card data
environment) where clipboard segregation between remote and local
systems was a requirement. It was in this case that Citrix was chosen
over other compteting 'remote-application' products because of a feature
it had to disable the seamless clipboard functionality.
I guess what makes my case and the government agency case different is
that for you and others, VNC is typically the primary focus, but here on
my machine it's running all the time, I have several test machines with
untrusted software running and connected *always*.
I think it is the case on whether this is a security issue depends on
whether the VNC viewer in question is a fit tool for what you're using
it for. Otherwise others may say it's a feature and not a bug, or at
least your bug is my feature. I would see if you could ask them to have
it as an optional feature though.
I would confirm that patch functions first - I found it in a thread
regarding errors connecting to Mac OS X servers, and from the patch
information, it may only stop the clipboard from server to client and
not vice versa, but having seen it, I would imagine that you can find
all the clipboard functions in the source and pretty much comment out
Description: S/MIME Cryptographic Signature
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/