Security questions on Remote Orbiters

[archived]

I'm using a win XP Orbiter on my laptop and I arranged my external firewall in order to be able to connect to my hybrid through internet when I'm not at home.

So far so good. Connection is working fine and I'm able to get in touch with my hybrid from wherever I can get an internet connection for my laptop.

The first question is: how safe is this?
Is the traffic between orbiter and core/hybrid somehow encrypted?
Is it something that may be sniffed and tampered, or is it something like terminal services protocol?

Second question: what about access validation?
In principle if I perform a portscan on a bunch of public internet addresses and by chance I find some of them responding to the proper port, I could try to connect using my orbiter to a remote and unknown core/hybrid, maybe gaining access to their system. In fact when I connect to my hybrid no password is asked, just double click and I'm right in.
Ok, a device number has to be supplied in the conf file, but it is not a major problem to try to guess a real and working one ...

In this situation I think it wouldn't be that safe to allow remote orbiters to connect from internet, unless using a SSH tunnel.

Are things like this or am I missing something?

Regards
Marco

[archived]

Hi Marco,

Orbiter wasn't designed to work remotely, because it communicates with the core using plain text, so it's not recommended to use it this way. However, in a future release, the communication between pluto devices will be encrypted with algorithms like blowfish, using a public key, randomly generated for each installation.

For now, the solution will be to use a ssh tunnel, like you said.

Regards,
Chris M.