When you run an X server on your PC and the X server is the active application, all user input (mouse movement and key presses) are given by the computer to the X server. Applications that wish to interact with the user connect to the X server and ask for copies of user input.

Since the keystrokes often include information like usernames and passwords, it is important to make sure that this information is given only to the applications that should receive them. You can expect that normal applications like xterm or mozilla will behave properly. However it is possible for malicious Internet users to create applications that will surreptitiously listen in on your keystrokes and harvest information, including your Kerberos password.

All modern X servers provide a method to secure against connections from such unwanted applications; however, not all X server applications (including those native to UNIX) enable access controls by default.

To begin, you should make sure you understand How X-Windows Access Control Works.  If you are attempting to use X-Windows in the Unix or Linux environment, you may find our X-Terminal Security documentation helpful.  If you are using X-Win32 you should look at our advice on Securing X-Win32.