Apple Remote Desktop doesn't encrypt traffic.
When connecting to computers with ssh and VNC installed, both Windows and Linux, ARD presents a warning:
The computer "xxx.xxx.xxx.xxx" is running a VNC server that does not support Remote Desktop keystroke encryption. Do you want to continue connecting anyway?
If the remote computer has Remote Login or SSH enabled, you can select the "Encrypt all network data" setting in Remote Desktop's preferences to connect securely.
Emphasis mine.
The warning was expected, since the hosts are Linux/Windows hosts, but I wanted to see what the ARD message was. I then followed the message's advice, and enabled "Encrypt all network data (more secure)" in the security preferences of ARD.
With the "Encrypt all network data" option selected, ARD connects, but it doesn't use any ssh tunneling. It does not issue any warning. It simply connects, unencrypted, to port 5900 on the remote machine.
According to the Apple support knowledge base (http://support.apple.com/kb/TA24182), if I choose to encrypt all traffic and it can't create the tunnel, I won't be able to connect.
Instead, it connects with no encryption. It doesn't even TRY to create the ssh tunnel, despite the fact that both test machines are running ssh, and are accessible via ssh (from the terminal) and support ssh tunnels (tested using VNC!)
I have verified that all keystrokes, mouse movements, etc, are sent in the clear (using wireshark to sniff the network traffic on my LAN).
Telling administrators that they are encrypting all traffic, and then opening an unencrypted connection is an incredible security failure. I'm glad I checked before I started using ARD for real administration work.
How do I get ARD to actually encrypt my traffic, like it says it will?
Apple Remote Desktop 3.6-OTHER, OS X Mountain Lion