Hi Stefan, - if the end user digs up the certificate himself using RDP client, then this is a bad practice as well. If at all, then your admins should publish a list of "good" fingerprints. - also the trustworthiness of the old sha1 stored is not given, thus any migration from sha1 to sha256 has to be considered insecure. The only good solution is to install trusted certs. Btw. I am not a developer of FreeRDP, only a user and security enthusiast. Best Regards, Joachim
> -----Ursprüngliche Nachricht----- > Von: Stefan Sichler via FreeRDP-devel <freerdp-devel@lists.sourceforge.net> > Gesendet: Freitag, 17. April 2020 15:27 > An: freerdp-devel@lists.sourceforge.net > Betreff: Re: [FreeRDP-devel] Certificate Thumbprint changed -> looks like a > security breach > > Hi Joachim, > > that's a very good explanation. Though it's urely a good idea to switch > to SHA256 fingerprint, there should two things be considered: > > - Windows 10 is currently unable to present a SHA256 fingerprint to the > end-user when he is looking up the details of the RDP server > certificate, so there is no way for him to check whether the certificate > really matches. > > - since the actual server certificate obviously hasn't changed after all > (although self-signed), freerdp2 shoudn't terrify the user by the > message "Certificate for xxx:3389 (RDP-Server) has changed!!!" and refer > to a potential MitM attack. > > In my case, I had to inform our sys-admin that there is a potential > security breach. He will be happy that's just a change in representation > of fingerprint. > > Regards > Stefan > > > > > Am 17.04.2020 um 14:43 schrieb freerdp--- via FreeRDP-devel: > > Hi Stefan, > > https://github.com/FreeRDP/FreeRDP/blob/2.0.0/ChangeLog "sha256 is now > used > > instead of sha1 to fingerprint certificates." - sha1 is considered insecure > > in general. You can also question whether self-signed certs are secure at > > all.. i.e. you are definitely better of using trusted certificates and > > training your end users to cancel any connections with certificate > > warnings/errors. > > Good to know some distros pick up 2.0.0. > > Best Regards, Joachim > > > > > >> -----Ursprüngliche Nachricht----- > >> Von: Stefan Sichler via FreeRDP-devel > > <freerdp-devel@lists.sourceforge.net> > >> Gesendet: Freitag, 17. April 2020 11:21 > >> An: freerdp-devel@lists.sourceforge.net > >> Betreff: [FreeRDP-devel] Certificate Thumbprint changed -> looks like a > >> security breach > >> > >> Hi freerdp developers, > >> > >> I'm using remmina / xfreerdp2 on an Linux Mint 19.3 x64 system, based on > >> Ubuntu 18.04. > >> When the freerdp2 package was recentry updated to version > >> 2.0.0~git202004061153- > >> 0+remmina202004061300.rc367f65.d287a1e7~ubuntu18.04.1 > >> from the remmina-next ppa on launchpad, > >> suddently the reported connection certificate thumbprint changed. > >> > >> It is now obiously _different_ to the one reported by the RDP server > >> itself. I'm connecting to a Windows 10. > >> > >> For me as end-user this looks like a security breach / MitM-attack. > >> Is this a known issue? > >> > >> Can you please comment on this? > >> > >> Thank you! > >> Best regards > >> Stefan > >> > >> > >> _______________________________________________ > >> FreeRDP-devel mailing list > >> FreeRDP-devel@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/freerdp-devel > > > > > > > > _______________________________________________ > > FreeRDP-devel mailing list > > FreeRDP-devel@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/freerdp-devel > > > > > _______________________________________________ > FreeRDP-devel mailing list > FreeRDP-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/freerdp-devel _______________________________________________ FreeRDP-devel mailing list FreeRDP-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freerdp-devel
