[
https://issues.apache.org/jira/browse/GUACAMOLE-880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16930050#comment-16930050
]
Michael Jumper commented on GUACAMOLE-880:
------------------------------------------
{quote}
For some more background on what is currently possible (and our penetration
test actually went a bit further): https://rtheory.net/analysis/guac/
{quote}
Doesn't the above post simply go over what can be done to any unencrypted web
application that provides a public API? Without something like TLS to guarantee
integrity, I would think it goes without saying that any malicious third party
would have the exact same capabilities as the legitimate user.
> Obfuscation of guacamole client protocol
> ----------------------------------------
>
> Key: GUACAMOLE-880
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-880
> Project: Guacamole
> Issue Type: Wish
> Components: guacamole-client, guacamole-server
> Reporter: Bolke de Bruin
> Priority: Major
> Labels: security
>
> One of the reasons we deploy guacamole is to limit data leakage
> possibilities. We recently had a audit on our infrastructure and it was shown
> that it was quite easy to leak out data through the guacamole protocol by
> creating special images inside the desktop and then using mitmproxy (python)
> and the guacamole python modules to capture the data inside those images.
> In order to limit the attack surface we would like to have obfuscation of the
> protocol if configured to do so. Of course this could be done by implementing
> a custom protocol, but it would be nice if Guacamole would have the
> facilities (hooks) to do this. One could think of allowing a custom function
> to encrypt/obfuscate the outgoing stream and attach into the javascript that
> decrypts the stream.
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
