kanaka
commented
6 years ago Short answer: RDP (VNC) sends less identifying info than RDP, but remote frame buffer protocols in general are probably not a good way to stay anonymous.
Longer answer:
I'm not intimately familiar with the RDP protocol. A VNC client does send the version of the RFB protocol it supports, and security types and render encodings that it supports. Those tend to be fairly generic. From the initial handshake, somebody might be able to tell you are running noVNC and maybe which major version of noVNC but probably not much more. So there is less identifying information in the initial RFB handshake than there is for RDP.
However, note that any sort of remote frame buffer protocol is problematic if you are trying to remain anonymous because mouse movements and keyboard typing are sent to the remote server. It has been demonstrated that this sort of information provides a fairly unique user fingerprint: each person uses the mouse differently, uses a specific timing pattern when typing and tends to make certain typos over and over. I'm also not intimately familiar with the Tor browser and whether it attempts to limit fingerprinting via mouse movement and keyboard typing patterns. Even if it has mechanisms to limit that sort of fingerprinting, I wouldn't count on it working particularly well unless it adds so much latency to mouse and keyboard events that it would be noticeable and annoying.
So it's probably better than RDP. And probably better than a regular VNC client (since the browser inherently adds some jitter and latency to user input), but probably still not that great. If anonymity is critical for you, I wouldn't use a remote frame buffer system at all. Note, that I could see creating a variant of noVNC that modifies what is being sent. For example, only sends mouse clicks and not mouse movement and only sends key events on quarter second boundaries. But I'm not an expert on staying anonymous online so that just me thinking out loud.
JohnMcKinsey
samhed
Topic closed