Fact-checked by Grok 2 weeks ago

RFB (protocol)

RFB (Remote Framebuffer), or Remote Framebuffer , is a simple, platform-independent designed for remote access to graphical user interfaces, enabling a client to view and control a on a remote computer by transmitting data at the level. This approach makes it applicable to diverse systems, including X11, Windows, and Macintosh, without relying on specific application-level details. The operates over , typically on port 5900, using a client- model where the provides updates in the form of rectangular regions, while the client sends input events such as presses and pointer movements. Developed in the late 1990s at the Olivetti & Oracle Research Lab (ORL) in Cambridge, UK, by Tristan Richardson and Kenneth R. Wood, RFB emphasizes a "thin client" philosophy to ensure broad compatibility with low-end hardware by minimizing computational demands on the client side. The initial specification, version 3.3, was documented in January 1998 and revised in July of that year to address compatibility and enhancements. Over the following decade, RFB evolved through versions 3.7 and 3.8, gaining widespread adoption in open-source and commercial implementations, particularly within Virtual Network Computing (VNC) software. In March 2011, the protocol was formalized as an informational (6143) by the (IETF), authored by T. Richardson and J. Levine of Ltd., to promote among diverse implementations. Key features include negotiable pixel formats (such as 32-bit or 8-bit ), multiple encoding schemes for efficient data transmission (e.g., raw pixels, CopyRect for screen copies, and compressed options like ZRLE or Hextile to balance bandwidth and processing), and support for authentication methods such as none or VNC authentication, with encryption typically achieved via external tunneling over TLS, SSH, or similar secure transports. The protocol's demand-driven update mechanism allows clients to request only changed screen regions, reducing network overhead, and it preserves remote application state across connections. RFB's design prioritizes simplicity and extensibility, permitting developers to add custom encodings or security types while maintaining core compatibility via unique identifiers registered with the Internet Assigned Numbers Authority (IANA). It has become foundational for thin-client applications and remote desktop tools.

Overview

Description

The Remote Framebuffer (RFB) protocol is an open, platform-independent system designed for remote access to graphical user interfaces through framebuffer-level operations, allowing a client to remotely view and interact with a server's display without regard to the underlying operating system or windowing environment. It operates by treating the entire screen as a framebuffer—a memory buffer holding pixel data—enabling cross-platform compatibility and simplicity in implementation. RFB's primary use cases include remote desktop control, screen sharing, and virtual desktop environments, making it suitable for accessing systems based on windowing frameworks such as X11, Microsoft Windows, macOS, and . These applications facilitate collaborative work, , and thin-client computing by transmitting visual output from the to the client while relaying inputs in the opposite direction. At its core, RFB involves two main components: an RFB server, which maintains and provides the state of the remote display, and an RFB client, which renders the received visuals and sends control inputs. Communication between them occurs over connections, typically using port 5900 for direct RFB sessions, port 5800 for HTTP tunneling that historically served Java applets for browser-based access (now often using /WebSockets in modern implementations), and port 5500 for reverse connections where the viewer listens for incoming server connections. The fundamental operational model centers on efficient pixel-based transmission of screen updates, where the sends rectangular regions of changed pixels to the client upon request, alongside forwarding of client-generated events like presses and movements to simulate local on the . This inherently supports multiple clients connecting to the same , either sharing the view or accessing it exclusively, promoting in multi-user remote access scenarios.

Core Principles

The Remote Framebuffer (RFB) protocol is fundamentally designed around the abstraction of the remote display as a , which is a simple rectangular array of representing the entire . This approach treats the display as a basic , independent of the underlying operating system, , or application layers, allowing the protocol to operate at the pixel level without needing to interpret higher-level constructs like windows or widgets. By focusing solely on pixel data, RFB achieves platform independence, making it compatible across diverse systems such as X11, Windows, and Macintosh, as it avoids dependencies on specific graphical APIs or event models unique to any one platform. RFB employs an event-driven communication model between the and client, where the maintains the and pushes updates to the client in the form of rectangular regions of changed , known as framebuffer rectangles. These updates are initiated in response to client requests, ensuring that the client only receives data for screen areas that have modified since the last update. Conversely, the client sends input events—such as pointer movements, button presses, and inputs—directly to the as they occur, enabling interaction with the remote . This bidirectional, asynchronous flow supports a thin-client , where the client requires minimal power and can render the interface solely from the received pixel data. To address efficiency, particularly in low-bandwidth environments, RFB prioritizes selective updates by transmitting only the portions of the that have changed, rather than the entire screen. This incremental approach minimizes data transfer, with the protocol negotiating pixel formats and encoding schemes at time to optimize for the available conditions and client capabilities. The emphasizes and adaptability, allowing implementations to scale from local s to remote, constrained s without requiring complex state synchronization beyond the itself.

History and Development

Origins at ORL

The Remote Framebuffer (RFB) protocol originated in the mid-1990s at the Laboratory (ORL) in , , as a key component of research into thin-client computing systems. Led by Tristan Richardson, Quentin Stafford-Fraser, Kenneth R. Wood, and , the development aimed to enable seamless remote access to graphical user interfaces from resource-limited devices, addressing the limitations of existing protocols like the , which were computationally intensive and inefficient over low-bandwidth or high-latency connections. ORL's work built on earlier experiments in and , focusing on framebuffer-level operations to simplify data transmission by treating the screen as a shared rather than handling complex . The initial motivation for RFB stemmed from the need for a platform-independent that could support collaborative environments and "teleporting" of sessions across networks, allowing users to interact with their personal environment from any location without stateful dependencies on the client . Inspired by X11's remote capabilities but seeking greater efficiency, the was designed to operate at the level, transmitting only incremental changes to the to minimize overhead in constrained settings like early thin clients or mobile setups. This approach was prototyped starting with ORL's Videotile in 1994, an experimental ultra-thin client featuring an LCD screen, pen input, and connectivity that initially streamed remote screens as compressed video before evolving to selective updates. By 1995, Richardson implemented a compact client (just 6 KB in size) using Sun's early release, enabling browser-based access to X sessions via the RFB interface. Prototype implementations integrated RFB with extensions to detect screen changes efficiently, such as through hooks that captured rectangle-based updates triggered by user interactions or application events, ensuring low-latency transmission over /IP. Early demonstrations occurred in , showcasing global "teleporting" where users accessed ORL desktops remotely from locations including , , Princeton, and using browsers, highlighting the protocol's robustness over the . These tests involved real-time mouse and keyboard control, with the Java client rendering the framebuffer on diverse hardware. Further refinements in focused on asynchronous collaboration features, building on the core protocol's simplicity. A pivotal early was the internal deployment of RFB-based systems at ORL by the late , where it facilitated daily collaborative work by allowing researchers to share Unix workstations and PC desktops across lab offices and remote sites, fostering efficient teamwork in a pre-cloud without requiring dedicated per user. This internal use validated the protocol's practicality for resource-constrained environments, setting the foundation for its later broader adoption.

Open Source Release and Commercialization

In 2002, closed its Laboratories (formerly the & Research Lab, or ORL), which had been the birthplace of the VNC software implementing the RFB protocol. Prior to the closure, the VNC , including the RFB protocol implementation, had been released as under the General Public License (GPL) starting in 1999, enabling widespread adoption and modification by developers worldwide. Following the lab's shutdown, several original VNC developers, including Tristan Richardson and Andy Harter, founded Ltd. in 2002 to commercialize VNC technology, provide ongoing maintenance for the protocol, and offer enterprise-grade implementations while preserving its open-source roots. This transition allowed to develop proprietary enhancements alongside the core open protocol, supporting both free and paid deployments across various platforms. The open-source release spurred significant community involvement, with notable forks emerging shortly thereafter. , an optimized variant focused on efficient encoding for low-bandwidth connections, began development in 2001 and released its initial version in 2002, introducing features like the Tight encoding scheme. Similarly, launched in December 2002, adding advanced features such as and text chat, which expanded RFB's utility in diverse remote access scenarios. These projects, along with others, fostered a rich ecosystem of RFB-compatible tools, promoting and innovation without fragmenting the protocol's core. To formalize RFB's status and ensure consistent implementation, the (IETF) published RFC 6143 in March 2011, documenting version 3.8 of the protocol as an informational standard. This effort culminated in the (IANA) establishing dedicated registries for RFB parameters, including message types and security types, beginning in late 2010 and continuing with updates through 2012, which helped standardize protocol extensions and prevent conflicts in deployments.

Protocol Mechanics

Connection and Handshake

The Remote Framebuffer (RFB) protocol establishes a connection between client and over , typically on port 5900 for the primary display (with subsequent displays using ports 5901, 5902, and so on). This port assignment follows the convention of X11 displays, where the listens for incoming connections from clients seeking to access the . Optionally, some RFB implementations provide an HTTP service on port 5800 to facilitate browser-based access, often by serving a that initiates the RFB connection or tunnels the protocol over HTTP. Upon connection establishment, the begins with negotiation to ensure compatibility. The initiates this by sending a 12-byte ProtocolVersion message in ASCII format, such as "RFB 003.008\n", indicating the highest supported RFB . The client responds with its own ProtocolVersion message, proposing a it supports (not higher than the 's, e.g., "RFB 003.008\n"); the then proceeds with the using the negotiated , or the connection terminates if incompatible. This negotiation ensures both endpoints use identical semantics, with versions formatted as major and minor numbers separated by a dot (e.g., 3.8). Following version agreement, the handshake determines the mechanism to protect the session. The server sends a single-byte count of supported types, followed by a list of one-byte identifiers for each type, such as 1 for "None" (no ) or 2 for "VNC " (password-based). The client selects and replies with one supported type; if "VNC " is chosen, the server issues a 16-byte random challenge, and the client responds with an 8-byte encrypted response derived from the (), though further details on are specified elsewhere. Unsupported or failed selections result in connection closure. Once security is resolved, initialization messages complete the handshake by defining the session parameters. The client sends a one-byte ClientInit message indicating whether the session is shared (1) or exclusive (0), allowing multiple clients if supported. The server then responds with the ServerInit message, providing the framebuffer's width and height as 16-bit unsigned integers, followed by a 16-byte pixel format structure detailing bits per pixel (U8, typically 8, 16, or 32), depth (U8, effective bits used), big-endian flag (U8, 0 for little-endian), true-color flag (U8, 1 if RGB components are distinct), maximum values and shifts for red, green, and blue channels (U16 and U8 each), and padding. This is followed by a 32-bit name length and the server name string. The client acknowledges implicitly by proceeding to optional configuration messages (e.g., setting pixel format or encodings) and explicitly requests the initial framebuffer update via a FramebufferUpdateRequest message, marking the transition to active data exchange.

Message Types and Flow

The RFB protocol employs a client-server messaging system to facilitate of the , where clients send input events and requests while servers transmit screen updates and responses. Messages are exchanged over a reliable transport such as , ensuring ordered delivery without acknowledgments in the core protocol. All messages adhere to a for efficiency, beginning with a single-byte message type identifier followed by type-specific fields, with multi-byte values encoded in big-endian order and padding bytes set to zero where applicable. Client-to-server messages enable the client to configure the session and provide input to the . The SetPixelFormat message (type 0) allows the client to define the desired and pixel format for incoming data, including bits per pixel, depth, flags, and color map details, ensuring compatibility with the client's rendering capabilities. The client can request resizing using the SetEncodings message with the DesktopSize pseudo-encoding, or via the optional SetDesktopSize message (type 251) in supporting implementations, allowing dynamic adjustments to the remote size. KeyEvent messages (type 4) report presses or releases, specifying the keysym value and a down-flag to indicate action. PointerEvent messages (type 5) convey position changes and states, including a mask and absolute x/y coordinates within the . Finally, ClientCutText messages (type 6) transmit data from the client to the , prefixed with the text length followed by the encoded string. Server-to-client messages deliver visual and auxiliary updates from the server to the client. The FramebufferUpdate message (type 0) is central, containing one or more rectangles of screen changes, each with a 16-byte header specifying x/y position, width/height, and encoding type, followed by the encoded for those regions. SetColourMapEntries messages (type 1) update entries in the client's color palette for modes, specifying the first color index, number of entries, and RGB values for each. The Bell message (type 2) simply signals an audible alert on the with no additional payload. ServerCutText messages (type 3) send from the server to the client, structured similarly to ClientCutText with length and text fields. The update flow is primarily demand-driven, promoting bandwidth efficiency by transmitting only requested changes. The client initiates updates via FramebufferUpdateRequest messages (type 3), which can specify a full initial copy (incremental flag 0) or incremental changes since the last update (flag 1), along with the bounding box coordinates and dimensions; clients typically send these periodically for continuous monitoring. The server responds with a FramebufferUpdate containing the minimal set of changed rectangles, often leveraging incremental requests to send only deltas, which supports continuous updates for real-time remote viewing without redundant full-screen transmissions. This flow allows for efficient handling of dynamic screen content, with servers batching multiple rectangles into a single update message when possible.

Version Specifications

The Remote Framebuffer (RFB) protocol has evolved through three primary versions, each introducing enhancements to authentication, encoding support, update mechanisms, and overall compatibility while maintaining the core framebuffer access model. These versions—3.3, 3.7, and 3.8—represent incremental improvements driven by practical deployment needs in remote desktop applications. RFB 3.3, released in January 1998 by AT&T Laboratories Cambridge (formerly Olivetti Research Laboratory), established the foundational specification. It introduced basic authentication mechanisms, including no authentication and VNC authentication using a DES-encrypted challenge-response. The version supported raw pixel encoding as the primary method for transmitting framebuffer data, alongside initial support for 8, 16, and 32 bits per pixel (bpp) formats to accommodate varying display depths. Additionally, it standardized the protocol version string in the format "RFB 003.003\n" for the initial handshake, ensuring clear version identification during connection setup. RFB 3.7, published on August 12, 2003, by Ltd., built upon 3.3 by enhancing flexibility in remote display management. It added support for palette-based color mapping through the SetColourMapEntries message, allowing efficient handling of spaces. Continuous updates were enabled via client-initiated FramebufferUpdateRequest messages, permitting incremental rather than full-frame refreshes to reduce usage. Extended framebuffer resizing became possible using the DesktopSize pseudo-encoding, and color map handling was improved with better server-side updates to client palettes. These changes addressed limitations in dynamic environments, such as varying window sizes and color requirements. RFB 3.8, initially released in June 2007 and formalized as the official standard in RFC 6143 in March 2011, further refined and extensibility. It standardized type negotiation, allowing clients and servers to agree on methods like None or VNC Authentication during the , with explicit SecurityResult messages for status feedback. Encoding was formalized, supporting a wider range of options including , RRE variants, Hextile, and ZRLE, while introducing pseudo-encodings for extensions. Server-initiated updates were enhanced for better responsiveness, and the protocol established IANA-managed registries for types, message types, and encodings to ensure coordinated evolution. All versions maintain backward compatibility through the initial protocol version negotiation, where clients and servers propose their highest supported version and fall back to the lowest common one, typically 3.3 if mismatches occur. No official versions beyond 3.8 have been released as a standard, though community implementations may include proprietary extensions negotiated separately.

Data Encoding

Basic Encoding Schemes

The basic encoding schemes in the Remote Framebuffer (RFB) protocol provide fundamental methods for transmitting rectangular regions of the framebuffer from server to client without relying on compression techniques. These encodings form the baseline for protocol operation, allowing clients to reconstruct screen updates efficiently in low-complexity scenarios. All clients are required to support raw encoding, while others offer optimizations for common graphical patterns such as solid colors or copied regions. The server selects an encoding type for each rectangle in a FramebufferUpdate message, based on client preferences advertised during the connection handshake. Raw encoding, designated as type 0, is the simplest and most straightforward scheme, transmitting data directly without any optimization. It sends the full width times height number of pixels for the specified in left-to-right, top-to-bottom scanline order, using the pixel format negotiated earlier in the (e.g., 32-bit RGBA). This approach ensures universal compatibility but consumes significant , making it suitable only for small updates or high-bandwidth links. For instance, a 100x100 in 32-bit color would require exactly 40,000 bytes of data. CopyRect encoding, type 1, optimizes transmission by copying an existing rectangular region from one location in the client's to another, avoiding the need to resend data. The specifies only the source coordinates (x, y) relative to the destination 's position, with the rectangle's width and height matching the source. This is particularly efficient for screen elements like scrolling text or moving windows, where large areas remain unchanged. The encoding consists of a single 8-byte coordinate pair following the rectangle header. Rise-and-Run-length Encoding (RRE), type 2, targets regions dominated by solid colors by first filling the entire with a value, then overlaying a series of subrectangles each filled with a single foreground . The message includes the (in the negotiated ), the number of subrectangles N (up to 255), and for each subrectangle: its position ( offsets) and foreground . This reduces data for sparse changes over uniform backgrounds, such as menus or dialog boxes, though it is considered obsolescent in modern implementations due to more advanced alternatives. A typical encoding might transmit just a few dozen bytes for a with scattered icons on a plain field. Hextile encoding, type 5, divides the into non-overlapping 16x16 tiles (or smaller at edges) to allow fine-grained optimization per , balancing detail and efficiency for varied . Each begins with a single-byte subencoding type indicating properties like raw , a solid color fill, use of foreground/background colors with subrectangles, or a 4x8 of those colors. For raw tiles, all 256 are sent directly; for patterned tiles, a 16-byte specifies which of the two colors applies to each position. This scheme excels in mixed regions like desktops with icons and text, transmitting as little as 1 byte per solid . Like RRE, it is obsolescent but remains useful for legacy compatibility. These encodings integrate into the protocol's update flow via the client's FramebufferUpdateRequest message, which specifies the desired (x, y, width, height) and an incremental flag (non-zero for changes since last update, zero for full refresh). The responds with a FramebufferUpdate containing one or more rectangles, each prefixed by its encoding type (a 32-bit signed ), allowing the client to decode accordingly. Clients may influence selection by listing preferred encodings in descending order during , though the has final discretion.

Compression and Advanced Encodings

To optimize bandwidth usage in the Remote () protocol, clients advertise supported encoding types during the initialization using the SetEncodings message, allowing the server to select the most appropriate method for each framebuffer update rectangle based on network conditions and content characteristics. This negotiation ensures fallback to raw encoding if needed, while preferring compressed variants for efficiency. The protocol includes standard compression encodings defined in RFC 6143. Tiled Run-Length Encoding (TRLE), type 15, divides the rectangle into 256x256 tiles (or smaller), palettizes colors within each tile to up to 127 entries, and applies to the palette indices, providing moderate for regions with limited colors. ZRLE (Zlib Run-Length Encoding), type 16, further enhances efficiency by tiling the rectangle into 64x64 blocks, palettizing to 127 colors per tile, encoding palette indices with (including solid fill and plain RLE), and compressing the resulting data stream using the from zlib. A single zlib stream is maintained across the for incremental . ZRLE is widely used for its balance of ratio and speed in typical desktop scenarios. Extensions provide additional compression options. The Zlib encoding, registered as type 6 and introduced in RFB version 3.7, applies the algorithm from the zlib library to compress raw pixel data within rectangles. It prepends a 4-byte header indicating the compressed length, followed by the zlib stream, providing a balance between moderate CPU overhead and significant bandwidth reduction for typical screen updates, such as scrolling text or simple graphics. This method processes the entire rectangle as a single compressed block, making it suitable for connections where decompression latency is acceptable. A single zlib stream is used per connection. Tight encoding, type 7 and developed as a community extension by the project, employs a multi-pass approach to achieve higher compression ratios than Zlib for desktop environments with mixed content like icons, text, and photos. It first indexes colors to a palette (up to 256 entries) for low-color regions, applies where effective, then compresses subrectangles using zlib or for photographic areas, with optional gradient filtering to exploit smooth color transitions. Performance evaluations show Tight reducing bandwidth by 11% to 75% compared to Zlib across various workloads, such as application launches or video playback, while maintaining reasonable encoding speeds on standard hardware. The XZ encoding, implemented as an extension with type 18, leverages the LZMA2 algorithm from the library to compress ZRLE-like pixel data, offering superior ratios (often 1/2 to 2/3 of ZRLE sizes) at the cost of higher CPU usage. It streams multiple rectangles into a single 4 MB dictionary for better efficiency on large updates, targeting low-bandwidth scenarios like over slow links. Advanced variants include Tight PNG (type -260), a community extension that replaces Tight's basic zlib compression with lossless for subrectangles, improving quality for sharp images without artifacts, though at increased computational demands. H.264 encoding (type 20), registered for video-optimized streaming, applies motion-compensated prediction to rectangles, achieving 23% to 85% savings in dynamic or video content, but its high CPU requirements (2.2 to 6.5 times that of Tight) limit it to specific high-motion applications rather than general desktop use.

Security Features

Authentication Mechanisms

The RFB protocol supports multiple mechanisms to verify client identity during the initial , enhancing before proceeding to data exchange. Following version negotiation, the server transmits the number of supported security types (a single octet) followed by a list of those types (each an octet), allowing the client to select one by sending its chosen type back to the server. This negotiation enables compatibility across implementations while permitting the use of stronger methods where available. Type 1 designates no , bypassing entirely and advancing directly to the protocol's initialization phase; this option exposes sessions to unauthorized access and is unsuitable for untrusted networks. Type 2 provides the core VNC authentication via a challenge-response exchange: the generates and sends a random 16-byte challenge, which the client encrypts using in electronic codebook mode with the user password (truncated or null-padded to exactly 8 bytes) as the key, then returns the 16-byte response for server validation. Upon success, a result (0 for ) confirms the connection; failure (1) terminates it. This approach offers rudimentary protection but relies on the outdated DES algorithm, rendering it vulnerable to offline attacks. Extensions address these limitations with more robust schemes. Types 5 (RA2) and 6 (RA2ne), developed by , employ public-key operations for initial followed by 128-bit symmetric encryption to secure the authentication response, providing significantly stronger resistance to than type 2. The RA2ne variant modifies the process to eliminate null bytes in derived keys, mitigating potential weaknesses from padding or implementation quirks in DES-era methods. Type 18, available since RFB version 3.7, integrates (TLS) for certificate-based verification using standards, enabling of client and server identities over an encrypted ; it may subsequently layer type 2 VNC authentication atop the TLS session for hybrid verification.

Encryption and Protection Methods

To address limitations in early authentication, later RFB specifications incorporated (TLS) as a core method, designated under security types such as 18 (TLS) and 19 (VeNCrypt). Security type 18 enables full-session TLS , leveraging ciphers such as for and protection, with support for certificate validation to ensure server authenticity. This TLS integration wraps the entire RFB protocol in a secure channel, mitigating eavesdropping and tampering risks over untrusted networks, and aligns with broader recommendations to tunnel RFB via or SSH for additional protection. The VeNCrypt extension, introduced in 2005 as a community-driven enhancement to security type 19, further refines RFB's encryption by combining TLS tunneling with standard VNC authentication methods for layered security. VeNCrypt supports subtypes like TLSVnc and X509Vnc, allowing encrypted authentication and data transfer while preserving compatibility with legacy VNC clients. Within this framework, the ANON TLS subtype (under VeNCrypt) employs anonymous Diffie-Hellman key exchange to establish encryption without server certificates, offering faster setup at the cost of reduced authentication assurance and vulnerability to man-in-the-middle attacks. Additional registered types include 23 (Secure Tunnel) and 24 (Integrated SSH) for enhanced tunneling-based protection. Despite these advancements, RFB remains susceptible to protocol-level vulnerabilities that can undermine efficacy. For instance, CVE-2021-41380 demonstrates a denial-of-service where malformed RFB data causes application crashes in clients like Viewer 6.21.406, potentially disrupting secure sessions. Implementation-specific flaws, such as a local in Server due to unsafe handling during , were addressed in patches released in July 2025 for version 7.14.0, highlighting ongoing needs for robust error handling in encrypted deployments.

Limitations and Extensions

Inherent Limitations

The Remote Framebuffer (RFB) protocol's core design relies on transmitting raw pixel data in rectangular regions of the , which inherently leads to high , particularly for dynamic or high-motion such as text, animations, or video playback. This pixel-based approach, while enabling broad platform independence by operating at the level without relying on application-specific semantics, contrasts with vector-based protocols like Microsoft's (RDP), which send compact graphical instructions (e.g., "draw a line" or "render a font") rather than full image captures, resulting in significantly lower network usage for . In low- environments, this inefficiency can cause noticeable and reduced responsiveness, as the protocol must repeatedly encode and send large volumes of updates even for minor screen changes. Clipboard synchronization in RFB is restricted to plain text encoded in the ISO 8859-1 (Latin-1) character set, supporting only 256 characters and excluding non-Western scripts, Unicode, or rich formatting like HTML or RTF. This limitation arises from the protocol's ClientCutText and ServerCutText messages, which transmit a fixed-length text buffer without provisions for character set negotiation or binary data, preventing seamless transfer of international text or multimedia clipboard content in the core specification. As a result, users working with diverse languages or complex documents must resort to manual workarounds, such as screenshotting or external file sharing, which undermines the protocol's utility for collaborative or multilingual scenarios. Input handling in RFB supports a traditional and pointer model, with pointer events limited to a maximum of 8 s via an 8-bit button mask in the PointerEvent message, and no native accommodation for gestures, pressure-sensitive styluses, or other advanced input modalities common in modern devices. input relies on X11-style keysyms for cross-platform mapping, which can lead to inconsistencies for non-standard layouts or specialized keys without client-side synthesis. These constraints stem from the protocol's framebuffer-centric focus, prioritizing simplicity over device-specific features, thereby restricting its applicability to touch-enabled or high-precision input environments without additional client adaptations. Audio capabilities in the core RFB protocol are minimal, confined to a simple Bell message that triggers a basic audible beep or notification sound on the client side, with no support for streaming full audio, voice, or playback. This single-byte message serves only to signal events like errors or alerts, reflecting the protocol's emphasis on visual control rather than integrated audiovisual transmission. Scalability in RFB is challenged by its treatment of the remote display as a single, unified , offering no built-in mechanisms for native configurations or dynamic high-resolution handling beyond basic size adjustments via the DesktopSize pseudo-encoding. While the protocol specifies framebuffer dimensions using 16-bit unsigned integers (up to 65,535 pixels wide or high), practical implementations often struggle with ultra-high resolutions (e.g., or 8K) due to the overhead of transmission across expansive areas, exacerbating demands without core-level partitioning or support. setups require clients to stitch virtual screens into one framebuffer, leading to inefficient updates for inactive monitors and potential performance degradation in extended desktop environments.

Community Extensions and Improvements

The community has significantly extended the RFB protocol through open-source projects, focusing on performance optimizations and compatibility enhancements. TigerVNC, a prominent implementation, introduced support for libjpeg-turbo in its encoding pipeline, achieving compression speeds 1.8x to 4.5x faster than standard libjpeg on x86 architectures, which improves real-time video transmission over remote connections. Additionally, TigerVNC implemented multi-threaded decoding starting in the mid-2010s, allowing better utilization of multi-core processors to reduce latency in framebuffer updates, particularly beneficial for high-resolution displays. RealVNC and the community maintain the rfbproto repository on GitHub, serving as a community-driven specification for RFB extensions, including registries for encoding and security types; updates in the 2020s have documented several new encoding types and security schemes to accommodate evolving implementations. This repository ensures interoperability by cataloging unofficial extensions, such as advanced compression variants, and has been actively revised as recently as June 2025 to reflect modern protocol adaptations. Intel's Active Management Technology (AMT) incorporates custom RFB messages to enable hardware-based KVM over IP, extending the protocol for out-of-band remote control even when the host OS is unavailable; these extensions leverage RFB 3.8's CutText messages for additional features like power control and BIOS redirection. AMT's RFB support includes compatibility with Solaris OS starting from version 3.8, allowing seamless integration in enterprise Unix environments for remote hardware management. Between 2020 and 2025, community efforts addressed security gaps and modern display protocols. released patches in September 2025 fixing a local in VNC Server on Windows, triggered by installer repair mode, which could allow unauthorized elevation during maintenance operations. Concurrently, Remote Desktop integrated RFB support for sessions with the release of 46 in March 2024, enabling headless remote access and screen sharing via VNC without requiring X11 fallbacks, thus improving compatibility with contemporary desktops. The (IANA) continues to manage RFB registries under expert review, assigning new encoding types beyond the initial set (e.g., types 26 and higher for emerging methods like cursor pseudo-encodings) and types to prevent overlaps in community extensions. This ongoing process, established since 2010, supports protocol evolution by allocating identifiers for innovations such as TLS-based variants.

References

  1. [1]
    RFC 6143 - The Remote Framebuffer Protocol - IETF Datatracker
    RFB ("remote framebuffer") is a simple protocol for remote access to graphical user interfaces that allows a client to view and control a window system on ...
  2. [2]
    [PDF] The RFB Protocol - MIT
    RFB (“remote framebuffer”) is a simple protocol for remote access to graphical user interfaces. Because it works at the framebuffer level it is applicable ...
  3. [3]
    Remote Framebuffer (RFB) - Internet Assigned Numbers Authority
    Remote Framebuffer (RFB) was created in 2010 and last updated in 2024. It has available formats in XML, HTML, and plain text.
  4. [4]
    any1/wayvnc: A VNC server for wlroots based Wayland compositors
    It attaches to a running Wayland session, creates virtual input devices, and exposes a single display via the RFB protocol. The Wayland session may be a ...
  5. [5]
    https://github.com/novnc/noVNC
  6. [6]
    https://datatracker.ietf.org/doc/html/rfc6143#section-1
  7. [7]
    https://web.mit.edu/cdsdev/src/rfbproto.pdf#section-1
  8. [8]
    https://datatracker.ietf.org/doc/html/rfc6143#section-3
  9. [9]
    https://web.mit.edu/cdsdev/src/rfbproto.pdf#section-3
  10. [10]
    https://web.mit.edu/cdsdev/src/rfbproto.pdf#section-4
  11. [11]
    [PDF] Global Teleporting with Java: Towards ubiquitous personalised ...
    protocol interface as the RFB X server, but would deliver mouse and keyboard ... [6] Tristan Richardson ... Technical Report 94.4, ORL Ltd, Trumpington Street, ...
  12. [12]
    https://www.cl.cam.ac.uk/research/dtg/attarchive/pub/docs/ORL/tr.96.2.pdf
  13. [13]
    From Cambridge Labs to Global Impact: This is the RealVNC Story
    Meet Our Founders ; Andy Harter. Founder & Former CEO ; Lily Bacon. Founder & Former EVP ; Andy Hopper. Founder & Former Chairman ; Tristan Richardson. Technical ...
  14. [14]
    VNC - Why is it free? - MIT
    We are releasing VNC on the same terms and conditions: those of the GNU General Public License. We believe that systems based on stateless endpoints have many ...Missing: GPL | Show results with:GPL
  15. [15]
    https://web.mit.edu/cdsdev/src/free.html
  16. [16]
    https://uvnc.com/
  17. [17]
    https://datatracker.ietf.org/doc/html/rfc6143#section-2
  18. [18]
    https://datatracker.ietf.org/doc/html/rfc6143#section-7.1
  19. [19]
    https://datatracker.ietf.org/doc/html/rfc6143#section-7.1.1
  20. [20]
    https://datatracker.ietf.org/doc/html/rfc6143#section-7.1.2
  21. [21]
    https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.1
  22. [22]
    https://datatracker.ietf.org/doc/html/rfc6143#section-7.3.1
  23. [23]
    https://datatracker.ietf.org/doc/html/rfc6143#section-7.3.2
  24. [24]
    https://datatracker.ietf.org/doc/html/rfc6143#section-7.5
  25. [25]
    1 The RFB Protocol — VNCDoTool 0.8.0 documentation
    RFB (“remote framebuffer”) is a simple protocol for remote access to graphical user interfaces. Because it works at the framebuffer level it is applicable to ...
  26. [26]
    https://datatracker.ietf.org/doc/html/rfc6143#section-7.5.2
  27. [27]
    https://datatracker.ietf.org/doc/html/rfc6143#section-7.5.4
  28. [28]
    https://datatracker.ietf.org/doc/html/rfc6143#section-7.5.5
  29. [29]
    https://datatracker.ietf.org/doc/html/rfc6143#section-7.5.6
  30. [30]
    https://datatracker.ietf.org/doc/html/rfc6143#section-7.6.1
  31. [31]
    https://datatracker.ietf.org/doc/html/rfc6143#section-7.6.2
  32. [32]
    https://datatracker.ietf.org/doc/html/rfc6143#section-7.6.3
  33. [33]
    https://datatracker.ietf.org/doc/html/rfc6143#section-7.6.4
  34. [34]
    https://datatracker.ietf.org/doc/html/rfc6143#section-7.5.3
  35. [35]
    RFC 6143 - The Remote Framebuffer Protocol - IETF Datatracker
    Handshake Messages When an RFB client and server first connect, they exchange a sequence of handshake messages that determine the protocol version, what ...
  36. [36]
    https://www.realvnc.com/docs/rfbproto.pdf
  37. [37]
    https://datatracker.ietf.org/doc/html/rfc6143#section-7.7
  38. [38]
    https://datatracker.ietf.org/doc/html/rfc6143#section-7.7.1
  39. [39]
    https://datatracker.ietf.org/doc/html/rfc6143#section-7.7.2
  40. [40]
    https://datatracker.ietf.org/doc/html/rfc6143#section-7.7.3
  41. [41]
    https://datatracker.ietf.org/doc/html/rfc6143#section-7.7.4
  42. [42]
    LibVNCServer/LibVNCClient: include/rfb/rfbproto.h Source File
    744 * Tight and TightPng Encoding. 745 *. 746 *-- TightPng is like Tight but basic compression is not used, instead PNG.
  43. [43]
    VNC Tight Encoder - Comparison Results - TightVNC
    Jan 12, 2024 · Tight-1.1 encoder shows significant bandwidth savings (up to 99.59%) and faster compression times compared to Zlib, and can achieve four times ...Missing: h. 264
  44. [44]
    [rfbproto] Provisional new XZ encoding
    ### Summary of XZ Encoding Proposal in RFB
  45. [45]
    A Study on the Usefulness of H.264 Encoding in a VNC Environment
    Aug 19, 2014 · The goal of this research was to investigate whether a compelling case could be made for implementing H.264 encoding in TurboVNC.Missing: zlib tight<|control11|><|separator|>
  46. [46]
    [PDF] The RFB Protocol - catonmat.net
    Nov 26, 2010 · RFB (“remote framebuffer”) is a simple protocol for remote access to graphical user interfaces. Because it works at the framebuffer level it ...
  47. [47]
    Xvnc - TigerVNC
    Specify which security scheme to use for incoming connections. Valid values are a comma separated list of None, VncAuth, Plain, TLSNone, TLSVnc, TLSPlain, ...Options · Parameters · Usage With Inetd
  48. [48]
    [PDF] The RFB Protocol
    Aug 12, 2003 · Handshaking begins by the server sending the client a ProtocolVersion message. This lets the client know which is the highest RFB protocol ...
  49. [49]
    The DES encryption used by VNC servers
    VNC authentication is done by receiving a 16 byte challenge, encrypting it with DES using the user specified password, and sending back the resulting 16 bytes.
  50. [50]
    https://datatracker.ietf.org/doc/html/rfc6143#section-9
  51. [51]
    http://www.sibecker.co.uk/vencrypt.html
  52. [52]
    VeNCrypt
    In doing so he extended the RFB protocol to include the VeNCrypt sub-protocol version 0.1. May 2006 Stewart released VeNCrypt 0.1.1 for Windows. 2006 Current ...
  53. [53]
    vencrypt.txt
    ... TLS authentication is initiated as described in the TLS protocol. If the TLS ... 1. RFB Protocol Section 6.2.19.258 - TLSVnc VeNCrypt sub-type TLSNone ...Missing: methods | Show results with:methods
  54. [54]
    PATCH: Secure TLS encrypted authentication for VNC
    RFB protocol traffic is TLS encrypted. - The sub-auth types supported by VeNCrypt are: - Plain - username & password - no TLS at all - TLS Anon ...
  55. [55]
    CVE-2021-41380 Detail - NVD
    Sep 17, 2021 · RealVNC Viewer 6.21.406 allows remote VNC servers to cause a denial of service (application crash) via crafted RFB protocol data.
  56. [56]
    RealVNC Connect 7.14.0
    Sep 8, 2025 · Release Date. July 2025 ... SECURITY: Fixed a local privilege escalation in Windows caused by directory creation before installation.
  57. [57]
    VNC vs RDP: Which Remote Desktop Tool is the Best? - RealVNC
    It is pixel-based and platform-independent. This means VNC applications ... VNC (Virtual Network Computing) uses the RFB (Remote Framebuffer) protocol ...What Are Vnc And Rdp? · Vnc Vs Rdp Feature... · Use Cases For Remote Desktop...Missing: inefficiency | Show results with:inefficiency
  58. [58]
    [PDF] RFC 6143: The Remote Framebuffer (RFB) Protocol Analysis
    Apr 17, 2013 · The RFB protocol is for remote access to graphical interfaces, used in VNC, and is windowing-system-independent, allowing control of a remote ...
  59. [59]
    https://datatracker.ietf.org/doc/html/rfc6143#section-7.8.2
  60. [60]
    [PDF] TigerVNC and libjpeg-turbo - The best remote desktop
    Feb 11, 2011 · TigerVNC server based on the newest X.Org support wide range of ... 1.8x – 4.5x faster than libjpeg comparable with IPP library on x86 ...
  61. [61]
    Multi-threaded encoding causes disconnect with TigerVNC client #76
    Mar 3, 2017 · The easiest way to tell is to downgrade the TigerVNC Viewer to an earlier release. They recently implemented multithreaded decoding (I think ...Missing: XZ | Show results with:XZ
  62. [62]
    VNC/RFB Protocol Specification - GitHub
    Jun 9, 2025 · Community maintained version of the VNC/RFB specification. Aims to be a complete documentation for every extension. - VNC/RFB Protocol ...
  63. [63]
    RFB Extensions - Intel Developer Zone
    Extensions use the RFB 3.8 standard (RFC 6143) CutText messages that can be sent from the client (the remote management console) to the server (Intel AMT) and ...
  64. [64]
    Solaris 11 packages
    Sep 19, 2012 · LMS enables local managementapplications to send requests, and receive responses to thelocal Intel AMT device. System/Enterprise Management ...<|separator|>
  65. [65]
    Are there any known security vulnerabilities? - RealVNC Help Center
    Sep 3, 2025 · RealVNC has known vulnerabilities, including CVE-2022-41975, CVE-2022-27502, and a severe CVE-2006-2369. Some are fixed in later versions.Missing: history | Show results with:history
  66. [66]
    Setup Headless Multi-User Sessions on Wayland with GNOME ...
    Jun 25, 2024 · With the release of GNOME 46 in March 2024, GNOME Remote Desktop became the first software to support headless remote access on Wayland.