Could you add further information on what security requirements are prompting this? I don't follow how encrypting the tunnel further would add additional security over turning on TLS. It would probably be better to ensure appropriate network security via routing, firewalls, and vpn.
Terminating the AES of the guacamole protocol would have to be done in guacamole-server, where it then converts to RDP/VNC which wouldn't be able to be further encrypted with AES (but you can configure these connections to also use TLS). Adding AES here would only prevent the guacamole-client web server from being able to inspect the traffic. The guacamole-client web server has to inspect the traffic to some degree as there are some instructions managed on the web server and not passed on to the guacamole-server. Encrypting at the JS client and decrypting in guacamole-server would not be beneficial over using HTTPS from browser to guacamole-client web server and TLS between guacamole-client and guacamole-server. - Christopher > On Dec 12, 2023, at 5:49 AM, Giovanni Magoga <magogagiova...@gmail.com> wrote: > > Hello, > > I am developing a Guacamole-based web app with high confidentiality > requirements, that TLS by itself does not fulfill. > Specifically, I require an additional encryption layer: client inputs > should be AES-encrypted by the browser's JS runtime before being sent via > the tunnel, and then decrypted server-side. > > I've identified FilteredGuacamoleSocket > <https://github.com/apache/guacamole-client/blob/212955c16c393c08f434f1def0ac12be36b09b2e/guacamole-common/src/main/java/org/apache/guacamole/protocol/FilteredGuacamoleSocket.java#L31> > in guacamole-client as a potential integration point for the cipher, > however, I couldn't find any examples of its usage. > > Is this the right approach to add this type of capability? Could you > provide some guidance on where to instantiate the FilteredGuacamoleSocket > if so? > > Thanks > > *Giovanni Magoga* > linkedin.com/in/ma9o > <https://www.linkedin.com/in/ma9o/> > calendly.com/ma9o
