Hi! On Thu, 21 Sep 2000, Robert Casties wrote:
AFAIK all traffic on the wire goes unencrypted, cookie or not. So if anyone can sniff the network traffic you can't help it.
You are right. The point is, that the application sends requests to the Xserver (for instance it asks to draw a line or paint some text on the screen) and the Xserver informs the application about events of user activity such as "mouse moved", "mouse clicked right", "a-key pressed", "space bar released" and so on. That communication indeed is not encrypted. Imagine the following scenario: You have 3 boxes, say A, B and C on the same net. A is running an Xserver which displays the window of an application, that runs on host B. An intruder is sitting on box C. The intruder might now run an Xserver himself and feed it with all the requests, the app on host B sends to host A. Then the intruder can see on his screen, whatever the application on host B draws on the screen of host A. The MIT-Magic-Cookie is used to secure the Xserver on host A. If it is not used, the intruder could (more easily) start an application that should display its output on the screen of host A and receive its input from there. Now an application needs not to draw anything on the screen and so it can remain invisible. If it connects the server, it just has to tell the server, which events of user interaction it is interested to get delivered (that is useful to save bandwidth - some applications are controlled with the mouse only, so there's no need to transmit keyboard events). The intruder could that way gain access to all the keyboard events on host A. So if you really want a secure scenario, then you have indeed to use some encryption. SSH does it by faking an Xserver local to the application and fake an application local to the Xserver. The two faked components communicate encrypted. I hope, that helps to understand the issue a bit more. I wish you all the best! Juergen --------------------------------------------------------------------- Jürgen Ellinger Siemensstraße 44 88250 Weingarten e-mail: ellinger@informatik.uni-tuebingen.de ellinger@student.uni-tuebingen.de ellinger@spohn.rv.bw.schule.de