Hi Joachim,
that's a very good explanation. Though it's urely a good idea to switch
to SHA256 fingerprint, there should two things be considered:
- Windows 10 is currently unable to present a SHA256 fingerprint to the
end-user when he is looking up the details of the RDP server
certificate, so there is no way for him to check whether the certificate
really matches.
- since the actual server certificate obviously hasn't changed after all
(although self-signed), freerdp2 shoudn't terrify the user by the
message "Certificate for xxx:3389 (RDP-Server) has changed!!!" and refer
to a potential MitM attack.
In my case, I had to inform our sys-admin that there is a potential
security breach. He will be happy that's just a change in representation
of fingerprint.
Regards
Stefan
Am 17.04.2020 um 14:43 schrieb freerdp--- via FreeRDP-devel:
Hi Stefan,
https://github.com/FreeRDP/FreeRDP/blob/2.0.0/ChangeLog "sha256 is now used
instead of sha1 to fingerprint certificates." - sha1 is considered insecure
in general. You can also question whether self-signed certs are secure at
all.. i.e. you are definitely better of using trusted certificates and
training your end users to cancel any connections with certificate
warnings/errors.
Good to know some distros pick up 2.0.0.
Best Regards, Joachim
-----Ursprüngliche Nachricht-----
Von: Stefan Sichler via FreeRDP-devel
<freerdp-devel@lists.sourceforge.net>
Gesendet: Freitag, 17. April 2020 11:21
An: freerdp-devel@lists.sourceforge.net
Betreff: [FreeRDP-devel] Certificate Thumbprint changed -> looks like a
security breach
Hi freerdp developers,
I'm using remmina / xfreerdp2 on an Linux Mint 19.3 x64 system, based on
Ubuntu 18.04.
When the freerdp2 package was recentry updated to version
2.0.0~git202004061153-
0+remmina202004061300.rc367f65.d287a1e7~ubuntu18.04.1
from the remmina-next ppa on launchpad,
suddently the reported connection certificate thumbprint changed.
It is now obiously _different_ to the one reported by the RDP server
itself. I'm connecting to a Windows 10.
For me as end-user this looks like a security breach / MitM-attack.
Is this a known issue?
Can you please comment on this?
Thank you!
Best regards
Stefan
_______________________________________________
FreeRDP-devel mailing list
FreeRDP-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freerdp-devel
_______________________________________________
FreeRDP-devel mailing list
FreeRDP-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freerdp-devel
_______________________________________________
FreeRDP-devel mailing list
FreeRDP-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freerdp-devel
