| Jyri Kaljundi wrote: | > | > There's a huge hole in the Netscape remote control mechanism for the | > X-Windows based clients. | > Potential impact : anybody can become any user that uses Netscape on any | > system without sufficient X security. | | Did you bother to read the spec? This doesn't matter; if I can | connect to your X server at all, you have already lost. The spec | (at http://home.netscape.com/newsref/std/x-remote.html) contains: [snip] This is all true, in a way. But there is a growing number of applications that contains this kind of remote execution capabilities, and whose security is dependant on Xauth. I believe that X is soon becoming the weakest link in the security chain. I guess we don't have to discuss the quality of the 'magic cookie' RNG's, do we? Not to mention the fact that the cookie is in effect a password that is perfectly snoopable. How common is DES-based Xauth-schemes? They are not used very much, as far as I know. And if theyare, as in XDM, then again, what about the RNG? I guess this is just the distinction of breaking the glass window in the back of the house, or to pick up the front door key from beneath the "Welcome" door mat, but anyway. -Christian