Because VNC is a major clustfucker of bad ideas? Almost every VNC installer I've used has made passwords optional. Who makes these brain dead decisions? Its bad enough that it cannot, typically, integrate with the built-in OS authentication, but the "roll your own" mentality from devs is especially off-putting. Application devs shouldn't be writing authentication mechanisms. They should be tying to the OS's auth using the proper libraries.
If you must run VNC for legacy reasons, please run it in an SSH tunnel without an open port to the world.
With things like RDP, NX/nomachine, xwindows forwarding in an ssh tunnel, etc, there's really no excuse to keep using it. For all the shit Windows gets, at least it doesn't allowed password-free RDP connections. I think the world of cheap Linux VPS have opened up a pandora's box of bad security practices. There's no shortage of forums out there that tell the uninitiated to "just apt-get" VNC and be done with it. Running ssh tunneled nomachine is just as easy to configure, has better performance, and loads better security.
Also this looks like an applet that runs a js vnc client locally and connects you directly various open VNC servers. Its your IP address in those logs and depending on your jurisdiction or policies, may get you in trouble just for visiting the site. Took me a second to realize this. May want a warning here for those at work.
> Also this looks like an applet that runs a js vnc client locally and connects you directly various open VNC servers. Its your IP address in those logs and depending on your jurisdiction or policies, may get you in trouble just for visiting the site. Took me a second to realize this. May want a warning here for those at work.
Not quite. The VNC client is noVNC, with a websocket proxy on the same machine http://srsly.de runs on. The connections you make with the web interface will go to our server, be translated from websockets to regular sockets, and then forwarded to the real VNC server. The address they see in their logs is ours.
We don't log access to the VNC client, by the way.
If you must run VNC for legacy reasons, please run it in an SSH tunnel without an open port to the world.
With things like RDP, NX/nomachine, xwindows forwarding in an ssh tunnel, etc, there's really no excuse to keep using it. For all the shit Windows gets, at least it doesn't allowed password-free RDP connections. I think the world of cheap Linux VPS have opened up a pandora's box of bad security practices. There's no shortage of forums out there that tell the uninitiated to "just apt-get" VNC and be done with it. Running ssh tunneled nomachine is just as easy to configure, has better performance, and loads better security.
Also this looks like an applet that runs a js vnc client locally and connects you directly various open VNC servers. Its your IP address in those logs and depending on your jurisdiction or policies, may get you in trouble just for visiting the site. Took me a second to realize this. May want a warning here for those at work.