[jira] [Commented] (GUACAMOLE-880) Obfuscation of guacamole client protocol
[ https://issues.apache.org/jira/browse/GUACAMOLE-880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17024906#comment-17024906 ] Bolke de Bruin commented on GUACAMOLE-880: -- Will do. Thx. > Obfuscation of guacamole client protocol > > > Key: GUACAMOLE-880 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-880 > Project: Guacamole > Issue Type: Wish > Components: guacamole-client, guacamole-server >Reporter: Bolke de Bruin >Priority: Major > Labels: security > > One of the reasons we deploy guacamole is to limit data leakage > possibilities. We recently had a audit on our infrastructure and it was shown > that it was quite easy to leak out data through the guacamole protocol by > creating special images inside the desktop and then using mitmproxy (python) > and the guacamole python modules to capture the data inside those images. > In order to limit the attack surface we would like to have obfuscation of the > protocol if configured to do so. Of course this could be done by implementing > a custom protocol, but it would be nice if Guacamole would have the > facilities (hooks) to do this. One could think of allowing a custom function > to encrypt/obfuscate the outgoing stream and attach into the javascript that > decrypts the stream. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (GUACAMOLE-880) Obfuscation of guacamole client protocol
[ https://issues.apache.org/jira/browse/GUACAMOLE-880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17024720#comment-17024720 ] Mike Jumper commented on GUACAMOLE-880: --- I'll close this here as the general consensus within the project is that such changes (obfuscating the protocol in the hope that an attacker would not be able to read it, altering sent images in the hope that it will be sufficient to defeat steganographic transmission of data) do not make sense: * With the main point of remote desktop being to interact with a system remotely, and with interaction requiring the transmission of visual information, it's not clear that it is possible to meaningfully defeat steganography without also rendering the remote desktop session unusable. * With the point of a protocol being to have a standard of communication between to points, it is not possible to obfuscate the protocol in a way which would meaningfully impede the ability of a malicious user to consume the protocol, and doing so would indeed be security through obscurity. The system shouldn't rely on being difficult to understand. The system should be both secure and understandable. [~bolke], if you do move forward with research and development here, and you end up with something which you believe achieves what you were originally looking for, feel free to reopen this and let us know your findings. > Obfuscation of guacamole client protocol > > > Key: GUACAMOLE-880 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-880 > Project: Guacamole > Issue Type: Wish > Components: guacamole-client, guacamole-server >Reporter: Bolke de Bruin >Priority: Major > Labels: security > > One of the reasons we deploy guacamole is to limit data leakage > possibilities. We recently had a audit on our infrastructure and it was shown > that it was quite easy to leak out data through the guacamole protocol by > creating special images inside the desktop and then using mitmproxy (python) > and the guacamole python modules to capture the data inside those images. > In order to limit the attack surface we would like to have obfuscation of the > protocol if configured to do so. Of course this could be done by implementing > a custom protocol, but it would be nice if Guacamole would have the > facilities (hooks) to do this. One could think of allowing a custom function > to encrypt/obfuscate the outgoing stream and attach into the javascript that > decrypts the stream. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (GUACAMOLE-880) Obfuscation of guacamole client protocol
[ https://issues.apache.org/jira/browse/GUACAMOLE-880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16931934#comment-16931934 ] Nick Couchman commented on GUACAMOLE-880: - [~bolke]: If you're willing to work on it and want to fork the code and submit a pull request, I'm happy to be part of the review process and see if it's something worth putting into the code. My primary concerns for adding something like this would be: * User experience - making sure that normal usage doesn't trigger false-positive alerts/alarms/etc. * Performance - Making sure that such changes are not going to drastically impact resource utilization/requirements on either the server or the client. I'm most concerned about this from the perspective of the AngularJS application within the web browser. I do think there is a level of practicality that will have to be considered, here - yes, multiple gigabytes of data were exfiltrated via an API; however, again, the point is that this was assuming the best case scenario for the pen tester - that is, they already had valid accounts and access to the data to do the test. I'm not sure that the gravity of the situation is really accurately reflected by the pen test. Layered security would either mitigate, detect, or correctly pinpoint the sources of these attacks, and I really do not believe that the EU is going to come after someone for GDPR violations simply because they use Guacamole and Guacamole doesn't 100% mitigate steganographic attacks. If you've properly done defense-in-depth at all layers, I believe that would be recognized and accepted by a reasonable governing body like the EU. > Obfuscation of guacamole client protocol > > > Key: GUACAMOLE-880 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-880 > Project: Guacamole > Issue Type: Wish > Components: guacamole-client, guacamole-server >Reporter: Bolke de Bruin >Priority: Major > Labels: security > > One of the reasons we deploy guacamole is to limit data leakage > possibilities. We recently had a audit on our infrastructure and it was shown > that it was quite easy to leak out data through the guacamole protocol by > creating special images inside the desktop and then using mitmproxy (python) > and the guacamole python modules to capture the data inside those images. > In order to limit the attack surface we would like to have obfuscation of the > protocol if configured to do so. Of course this could be done by implementing > a custom protocol, but it would be nice if Guacamole would have the > facilities (hooks) to do this. One could think of allowing a custom function > to encrypt/obfuscate the outgoing stream and attach into the javascript that > decrypts the stream. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (GUACAMOLE-880) Obfuscation of guacamole client protocol
[ https://issues.apache.org/jira/browse/GUACAMOLE-880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16931141#comment-16931141 ] Bolke de Bruin commented on GUACAMOLE-880: -- [~Why4ArtThou] Unfortunately, I think you misunderstand the gravity of the situation. It was shown that multiple gigabytes could be exfiltrated in an automated fashion by using the python api. There was nothing visually required on the client side. I am aware of precious developer time: I am a Apache committer myself and contributor to several projects. The intention in this thread is to make 1) people aware if the situation, 2) see if we can get to an agreed course of action. This to ensure developer time is not wasted. Finally, I willing to put the time of my team into this or even hire someone that could address the isue that we are seeing and then bring it back to the community. I think that's worthwhile a bit of discussion right? [~nick.couch...@yahoo.com] [~mike.jumper] Another avenue we were thinking of is to enable a kind of non intrusive Turing test. Ie. by sampling of one uses the keyboard and mouse (not capturing keystrokes, but merely statistical tracking) we could determine (statistically) if a user is actually human. If not we could force reidentification or a real turing test (eg. recaptcha like). This does not interfer with the protocol and does not add noise to the images (although stenography detection could also trigger a turing test). It would require to be able to hook in to the stream (a kind of filter) that is able to trigger the follow up. What do you think? > Obfuscation of guacamole client protocol > > > Key: GUACAMOLE-880 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-880 > Project: Guacamole > Issue Type: Wish > Components: guacamole-client, guacamole-server >Reporter: Bolke de Bruin >Priority: Major > Labels: security > > One of the reasons we deploy guacamole is to limit data leakage > possibilities. We recently had a audit on our infrastructure and it was shown > that it was quite easy to leak out data through the guacamole protocol by > creating special images inside the desktop and then using mitmproxy (python) > and the guacamole python modules to capture the data inside those images. > In order to limit the attack surface we would like to have obfuscation of the > protocol if configured to do so. Of course this could be done by implementing > a custom protocol, but it would be nice if Guacamole would have the > facilities (hooks) to do this. One could think of allowing a custom function > to encrypt/obfuscate the outgoing stream and attach into the javascript that > decrypts the stream. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (GUACAMOLE-880) Obfuscation of guacamole client protocol
[ https://issues.apache.org/jira/browse/GUACAMOLE-880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16931004#comment-16931004 ] Michael Jumper commented on GUACAMOLE-880: -- [~Why4ArtThou], please remain civil. Insults, name-calling, etc. are not acceptable here. https://www.apache.org/foundation/policies/conduct.html > Obfuscation of guacamole client protocol > > > Key: GUACAMOLE-880 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-880 > Project: Guacamole > Issue Type: Wish > Components: guacamole-client, guacamole-server >Reporter: Bolke de Bruin >Priority: Major > Labels: security > > One of the reasons we deploy guacamole is to limit data leakage > possibilities. We recently had a audit on our infrastructure and it was shown > that it was quite easy to leak out data through the guacamole protocol by > creating special images inside the desktop and then using mitmproxy (python) > and the guacamole python modules to capture the data inside those images. > In order to limit the attack surface we would like to have obfuscation of the > protocol if configured to do so. Of course this could be done by implementing > a custom protocol, but it would be nice if Guacamole would have the > facilities (hooks) to do this. One could think of allowing a custom function > to encrypt/obfuscate the outgoing stream and attach into the javascript that > decrypts the stream. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (GUACAMOLE-880) Obfuscation of guacamole client protocol
[ https://issues.apache.org/jira/browse/GUACAMOLE-880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16930988#comment-16930988 ] Robert McGunsterson commented on GUACAMOLE-880: --- This entire post is frustrating and annoying, it's a waste of good developer time on idiotic things. As usual, a 'too-smart' security type person has raised a theoretical scenario and then the world needs to react to their theory. The entire point of this program is to get data 'out' of a remote location, visually. It's already slow enough as it is (seriously there needs to be work on latency and compression - it's bloody great for free and I appreciate the work, but it's hardly high performance) we don't need to be adding random noise to the data feed to satisfy a navel-gazing security guy. Developers should be focused on bugs, performance, usability, features, this feature is silly. OP, sorry, I'm trying to not be harsh but tell the person who raised this flag to you, to wake up. I'm sure someone with a good enough video camera and lense, could extract data from your business from across the street through a window aimed at 2 or 3 monitors. Sigh > Obfuscation of guacamole client protocol > > > Key: GUACAMOLE-880 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-880 > Project: Guacamole > Issue Type: Wish > Components: guacamole-client, guacamole-server >Reporter: Bolke de Bruin >Priority: Major > Labels: security > > One of the reasons we deploy guacamole is to limit data leakage > possibilities. We recently had a audit on our infrastructure and it was shown > that it was quite easy to leak out data through the guacamole protocol by > creating special images inside the desktop and then using mitmproxy (python) > and the guacamole python modules to capture the data inside those images. > In order to limit the attack surface we would like to have obfuscation of the > protocol if configured to do so. Of course this could be done by implementing > a custom protocol, but it would be nice if Guacamole would have the > facilities (hooks) to do this. One could think of allowing a custom function > to encrypt/obfuscate the outgoing stream and attach into the javascript that > decrypts the stream. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (GUACAMOLE-880) Obfuscation of guacamole client protocol
[ https://issues.apache.org/jira/browse/GUACAMOLE-880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16930299#comment-16930299 ] Bolke de Bruin commented on GUACAMOLE-880: -- In short ;), I am asking if you would consider allowing patches that create the neccesary facilities inside Guacamole to support this and to help guide us to do it at the right place. This would allow us to continue to use Guacamole, which is awesome, and not to resort to a fork or propietary solution. I also think it would benefit the community. > Obfuscation of guacamole client protocol > > > Key: GUACAMOLE-880 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-880 > Project: Guacamole > Issue Type: Wish > Components: guacamole-client, guacamole-server >Reporter: Bolke de Bruin >Priority: Major > Labels: security > > One of the reasons we deploy guacamole is to limit data leakage > possibilities. We recently had a audit on our infrastructure and it was shown > that it was quite easy to leak out data through the guacamole protocol by > creating special images inside the desktop and then using mitmproxy (python) > and the guacamole python modules to capture the data inside those images. > In order to limit the attack surface we would like to have obfuscation of the > protocol if configured to do so. Of course this could be done by implementing > a custom protocol, but it would be nice if Guacamole would have the > facilities (hooks) to do this. One could think of allowing a custom function > to encrypt/obfuscate the outgoing stream and attach into the javascript that > decrypts the stream. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (GUACAMOLE-880) Obfuscation of guacamole client protocol
[ https://issues.apache.org/jira/browse/GUACAMOLE-880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16930292#comment-16930292 ] Bolke de Bruin commented on GUACAMOLE-880: -- [~nick.couch...@yahoo.com] We have all those measures in place (okay except for metal detectors and cameras are not allowed by law). Our case for improving this with Guacamole is also not having to resort to more invasive measure for the users. In GDPR context is basically means that you need to do your best to limit the possibility for data leakage. This means if I am aware of such a risk I need to mitigate that risk. The approach I am suggesting is a mitigating measure. Please also not that we did not take that website as the basis for our analysis. It was just an easy means to show what the security community thinks the attack surface to Guacamole currently is. As mentioned our teams were able to extract data really quickly. [~mike.jumper] There are things you can do to detect steganography. See: [https://incoherency.co.uk/blog/stories/image-steganography.html] . And it seems that "Actually there are properties of images that meant that the noise introduced through stego is actually, especially for LSBR, VERY easy to detect." ([https://www.cs.ox.ac.uk/teaching/materials15-16/advsec/advsec-notes-ch01234.pdf] - behind login, I'll see if I can get it open). As we control the data going out, adding noise would make steganography harder. If a detection mechanism would be in place (arguably outside Guacamole) it would be a major selling point for Guacamole. Obviously, in case of encryption industry standards should be chosen. I never suggested to create our own encryption. > Obfuscation of guacamole client protocol > > > Key: GUACAMOLE-880 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-880 > Project: Guacamole > Issue Type: Wish > Components: guacamole-client, guacamole-server >Reporter: Bolke de Bruin >Priority: Major > Labels: security > > One of the reasons we deploy guacamole is to limit data leakage > possibilities. We recently had a audit on our infrastructure and it was shown > that it was quite easy to leak out data through the guacamole protocol by > creating special images inside the desktop and then using mitmproxy (python) > and the guacamole python modules to capture the data inside those images. > In order to limit the attack surface we would like to have obfuscation of the > protocol if configured to do so. Of course this could be done by implementing > a custom protocol, but it would be nice if Guacamole would have the > facilities (hooks) to do this. One could think of allowing a custom function > to encrypt/obfuscate the outgoing stream and attach into the javascript that > decrypts the stream. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (GUACAMOLE-880) Obfuscation of guacamole client protocol
[
https://issues.apache.org/jira/browse/GUACAMOLE-880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16930169#comment-16930169
]
Nick Couchman commented on GUACAMOLE-880:
-
One other note regarding the page sent over
(https://rtheory.net/analysis/guac/) - the Summary section at the bottom says:
{quote}
So, if you’re using guac in an unencrypted/decrypted environment, here is what
you can see from a packet capture:
{quote}
So, it would seem that whomever did that analysis is admitting that the primary
threat is if your traffic is not encrypted or can be intercepted in plain-text.
Most of the threats in that page 1) would be mitigated by proper TLS
encryption, and 2) exist in any application that is not properly encrypted.
Obviously insider threats and steganography are an exception that, but that
does not seem to be the primary concern of the aforementioned page.
> Obfuscation of guacamole client protocol
>
>
> Key: GUACAMOLE-880
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-880
> Project: Guacamole
> Issue Type: Wish
> Components: guacamole-client, guacamole-server
>Reporter: Bolke de Bruin
>Priority: Major
> Labels: security
>
> One of the reasons we deploy guacamole is to limit data leakage
> possibilities. We recently had a audit on our infrastructure and it was shown
> that it was quite easy to leak out data through the guacamole protocol by
> creating special images inside the desktop and then using mitmproxy (python)
> and the guacamole python modules to capture the data inside those images.
> In order to limit the attack surface we would like to have obfuscation of the
> protocol if configured to do so. Of course this could be done by implementing
> a custom protocol, but it would be nice if Guacamole would have the
> facilities (hooks) to do this. One could think of allowing a custom function
> to encrypt/obfuscate the outgoing stream and attach into the javascript that
> decrypts the stream.
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
[jira] [Commented] (GUACAMOLE-880) Obfuscation of guacamole client protocol
[ https://issues.apache.org/jira/browse/GUACAMOLE-880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16930124#comment-16930124 ] Nick Couchman commented on GUACAMOLE-880: - The other thing that I would add to what Mike said is that I don't think you need this feature in order to implement "defense in depth." I would say that in a standard Guacamole deployment you would (should) implement the following layers of security: * Ability to authenticate to Guacamole in the first place. (= Walking into the building with a valid pass.) * TLS encryption of the data streams ( = Cloak of invisibility while you walk :-) * Ability to authenticate to the remote desktop system (RDP/SSH/etc.; = Walking into the 10th floor office with a valid pass.). * Authorization to access the correct data (access control lists; = The key to the file cabinet). * Accountability for the data they access (auditing; = A camera watching them do all of these things, and someone looking at the document they pull from the file cabinet and making a record of it.). I would be shocked if a company were held liable for GDPR violations simply on the fact that they used Guacamole and Guacamole did not offer this layer of protection against steganographic attacks - my guess is that you would have to ignore/violate several of the other layers in order to be held liable for something done by a determined insider. > Obfuscation of guacamole client protocol > > > Key: GUACAMOLE-880 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-880 > Project: Guacamole > Issue Type: Wish > Components: guacamole-client, guacamole-server >Reporter: Bolke de Bruin >Priority: Major > Labels: security > > One of the reasons we deploy guacamole is to limit data leakage > possibilities. We recently had a audit on our infrastructure and it was shown > that it was quite easy to leak out data through the guacamole protocol by > creating special images inside the desktop and then using mitmproxy (python) > and the guacamole python modules to capture the data inside those images. > In order to limit the attack surface we would like to have obfuscation of the > protocol if configured to do so. Of course this could be done by implementing > a custom protocol, but it would be nice if Guacamole would have the > facilities (hooks) to do this. One could think of allowing a custom function > to encrypt/obfuscate the outgoing stream and attach into the javascript that > decrypts the stream. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (GUACAMOLE-880) Obfuscation of guacamole client protocol
[ https://issues.apache.org/jira/browse/GUACAMOLE-880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16930104#comment-16930104 ] Michael Jumper commented on GUACAMOLE-880: -- [~bolke], it's not a corner case or an invalid use case (as you note, restricting the easy flow of data is part of the reasoning behind GUACAMOLE-381). Steganographic retransmission of data that is intended to be isolated to the machine being accessed is a legitimate concern for such an environment. If there is a known, accepted way to meaningfully defeat steganography, I'm sure we are open to it. Do you have examples of defenses which are known to be effective? Just as it's not recommended to write your own encryption algorithms with the expectation that they are secure, I don't think we can just throw noise into transmitted images with the hope that steganography will then be too difficult. There would need to be a solution that can be proven to work, or at least one that is accepted as a solution by those that are experts in the field. My expectation (though I would be happy to be proven wrong) is that no such solution exists. In general, for any remote desktop protocol, graphics and timing data must have a reasonable degree of fidelity, and it's an unfortunate reality that those same graphics and timing data can be used for covert transmission of other data. As long as the graphics are still readable / usable by the users of the system, they can function as a channel for steganographic transmission of data, even if that channel is lossy. As such, my understanding is that it is not possible to defeat steganography without simultaneously making the system unusable. As for the final point of the protocol itself being easy to parse, or the API being accessible ... There will always exist libraries for parsing the Guacamole protocol, and part of good library/protocol design is that those libraries and that protocol remain that way. While the merits of possible defenses to steganography are worth discussing, I don't think there is any security basis for trying to make the protocol or API more complex and hoping attackers will not want to bother. > Obfuscation of guacamole client protocol > > > Key: GUACAMOLE-880 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-880 > Project: Guacamole > Issue Type: Wish > Components: guacamole-client, guacamole-server >Reporter: Bolke de Bruin >Priority: Major > Labels: security > > One of the reasons we deploy guacamole is to limit data leakage > possibilities. We recently had a audit on our infrastructure and it was shown > that it was quite easy to leak out data through the guacamole protocol by > creating special images inside the desktop and then using mitmproxy (python) > and the guacamole python modules to capture the data inside those images. > In order to limit the attack surface we would like to have obfuscation of the > protocol if configured to do so. Of course this could be done by implementing > a custom protocol, but it would be nice if Guacamole would have the > facilities (hooks) to do this. One could think of allowing a custom function > to encrypt/obfuscate the outgoing stream and attach into the javascript that > decrypts the stream. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (GUACAMOLE-880) Obfuscation of guacamole client protocol
[ https://issues.apache.org/jira/browse/GUACAMOLE-880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16930080#comment-16930080 ] Bolke de Bruin commented on GUACAMOLE-880: -- [~nick.couch...@yahoo.com] Why do you think it is a corner case? We deploy guacamole desktops to 500+ users around the globe with many more in the pipeline. I don't know all of them personally and statistically there are going to be malevolent users. It only takes _one_ user to get me a fine of up to 10Mio or 2% annual revenue (GDPR) as someone could argue the risk was raised but we did not take enough action. Besides, given the fact that a pentester tried it and succeeded quite easily it is bound to be known in less repectful communities. One employs security in a layered fashion. I see this as the equivalent of someone entering the building with a valid pass, but then to let him out carrying equipment because the gate is so wide that anything passes trough. Let's make it possible to limit the size of the gate: it won't solve the issue but someone might not even try or will get caught quicker. > Obfuscation of guacamole client protocol > > > Key: GUACAMOLE-880 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-880 > Project: Guacamole > Issue Type: Wish > Components: guacamole-client, guacamole-server >Reporter: Bolke de Bruin >Priority: Major > Labels: security > > One of the reasons we deploy guacamole is to limit data leakage > possibilities. We recently had a audit on our infrastructure and it was shown > that it was quite easy to leak out data through the guacamole protocol by > creating special images inside the desktop and then using mitmproxy (python) > and the guacamole python modules to capture the data inside those images. > In order to limit the attack surface we would like to have obfuscation of the > protocol if configured to do so. Of course this could be done by implementing > a custom protocol, but it would be nice if Guacamole would have the > facilities (hooks) to do this. One could think of allowing a custom function > to encrypt/obfuscate the outgoing stream and attach into the javascript that > decrypts the stream. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (GUACAMOLE-880) Obfuscation of guacamole client protocol
[
https://issues.apache.org/jira/browse/GUACAMOLE-880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16930077#comment-16930077
]
Nick Couchman commented on GUACAMOLE-880:
-
{quote}
you probably assume an external attacker.
{quote}
I try not to make assumptions about where the attacker is, but given the
information you were posting, yes, I was assuming someone intercepting data
somewhere in between the client and the server, probably between the web
browser and Guacamole Client (given that you're concerned about the API).
Particularly since you mentioned "Man-in-the-Middle" (MITM) proxying/attacks,
that usually denotes someone not welcome in the connection, which means an
external (= 3rd party) attacker.
{quote}
Now assume we have an attacker that has valid credentials. TLS doesn't really
matter in that circumstance.
{quote}
Of course. That assumes that the person who is validly using the connection is
(also) misusing the connection. If an attacker has gone to the trouble of
taking apart the API and figured out how to either encode data within the
images or scrape data off the screen, do we think that making it slightly more
difficult to figure out the API calls is actually going to stop them?
{quote}
I might be stretching the use case for Guacamole. However, imho it's a valid
one: Use guacamole as gateway to limit the attack surface to your servers and
limit possible data leakage (good sell in the enterprise world I assure you).
{quote}
My gut feeling is that this is a pretty deep corner case, and since it doesn't
actually fully resolve it, I'm having a hard time seeing the value in it.
> Obfuscation of guacamole client protocol
>
>
> Key: GUACAMOLE-880
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-880
> Project: Guacamole
> Issue Type: Wish
> Components: guacamole-client, guacamole-server
>Reporter: Bolke de Bruin
>Priority: Major
> Labels: security
>
> One of the reasons we deploy guacamole is to limit data leakage
> possibilities. We recently had a audit on our infrastructure and it was shown
> that it was quite easy to leak out data through the guacamole protocol by
> creating special images inside the desktop and then using mitmproxy (python)
> and the guacamole python modules to capture the data inside those images.
> In order to limit the attack surface we would like to have obfuscation of the
> protocol if configured to do so. Of course this could be done by implementing
> a custom protocol, but it would be nice if Guacamole would have the
> facilities (hooks) to do this. One could think of allowing a custom function
> to encrypt/obfuscate the outgoing stream and attach into the javascript that
> decrypts the stream.
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
[jira] [Commented] (GUACAMOLE-880) Obfuscation of guacamole client protocol
[ https://issues.apache.org/jira/browse/GUACAMOLE-880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16930057#comment-16930057 ] Bolke de Bruin commented on GUACAMOLE-880: -- Correct. The aim would be to make it more difficult for a malevolent user to parse the data that was received. Some thoughts are: 1) Add a little bit of noise to the data, which the human eye cant see but will change the data being parsed or even prevent it from parsing 2) Encrypt the channel with a symmetric key which is hidden inside uglified/obfuscated javascript. This is what some banks are using. 3) ? Again it is not the aim to stop it, but rather to make it more difficult so that anyone trying this would look "next door" first. > Obfuscation of guacamole client protocol > > > Key: GUACAMOLE-880 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-880 > Project: Guacamole > Issue Type: Wish > Components: guacamole-client, guacamole-server >Reporter: Bolke de Bruin >Priority: Major > Labels: security > > One of the reasons we deploy guacamole is to limit data leakage > possibilities. We recently had a audit on our infrastructure and it was shown > that it was quite easy to leak out data through the guacamole protocol by > creating special images inside the desktop and then using mitmproxy (python) > and the guacamole python modules to capture the data inside those images. > In order to limit the attack surface we would like to have obfuscation of the > protocol if configured to do so. Of course this could be done by implementing > a custom protocol, but it would be nice if Guacamole would have the > facilities (hooks) to do this. One could think of allowing a custom function > to encrypt/obfuscate the outgoing stream and attach into the javascript that > decrypts the stream. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (GUACAMOLE-880) Obfuscation of guacamole client protocol
[
https://issues.apache.org/jira/browse/GUACAMOLE-880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16930056#comment-16930056
]
Nick Couchman commented on GUACAMOLE-880:
-
{qutoe}
Doesn't the above post simply go over what can be done to any unencrypted web
application that provides a public API? Without something like TLS to guarantee
integrity, I would think it goes without saying that any malicious third party
would have the exact same capabilities as the legitimate user.
{quote}
+1
[~bolke]: I fail to see how, with *properly secured* connections (verified,
uncompromised TLS connections), any of the analysis on that page is possible?
I also fail to see how this differs from pretty much any other network
application out there - web (HTTPS), RDP, SSH, etc.? Can you explain why you
think that Guacamole needs this extra layer of obfuscation where RDP and SSH
don't?
> Obfuscation of guacamole client protocol
>
>
> Key: GUACAMOLE-880
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-880
> Project: Guacamole
> Issue Type: Wish
> Components: guacamole-client, guacamole-server
>Reporter: Bolke de Bruin
>Priority: Major
> Labels: security
>
> One of the reasons we deploy guacamole is to limit data leakage
> possibilities. We recently had a audit on our infrastructure and it was shown
> that it was quite easy to leak out data through the guacamole protocol by
> creating special images inside the desktop and then using mitmproxy (python)
> and the guacamole python modules to capture the data inside those images.
> In order to limit the attack surface we would like to have obfuscation of the
> protocol if configured to do so. Of course this could be done by implementing
> a custom protocol, but it would be nice if Guacamole would have the
> facilities (hooks) to do this. One could think of allowing a custom function
> to encrypt/obfuscate the outgoing stream and attach into the javascript that
> decrypts the stream.
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
[jira] [Commented] (GUACAMOLE-880) Obfuscation of guacamole client protocol
[
https://issues.apache.org/jira/browse/GUACAMOLE-880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16930050#comment-16930050
]
Michael Jumper commented on GUACAMOLE-880:
--
{quote}
For some more background on what is currently possible (and our penetration
test actually went a bit further): https://rtheory.net/analysis/guac/
{quote}
Doesn't the above post simply go over what can be done to any unencrypted web
application that provides a public API? Without something like TLS to guarantee
integrity, I would think it goes without saying that any malicious third party
would have the exact same capabilities as the legitimate user.
> Obfuscation of guacamole client protocol
>
>
> Key: GUACAMOLE-880
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-880
> Project: Guacamole
> Issue Type: Wish
> Components: guacamole-client, guacamole-server
>Reporter: Bolke de Bruin
>Priority: Major
> Labels: security
>
> One of the reasons we deploy guacamole is to limit data leakage
> possibilities. We recently had a audit on our infrastructure and it was shown
> that it was quite easy to leak out data through the guacamole protocol by
> creating special images inside the desktop and then using mitmproxy (python)
> and the guacamole python modules to capture the data inside those images.
> In order to limit the attack surface we would like to have obfuscation of the
> protocol if configured to do so. Of course this could be done by implementing
> a custom protocol, but it would be nice if Guacamole would have the
> facilities (hooks) to do this. One could think of allowing a custom function
> to encrypt/obfuscate the outgoing stream and attach into the javascript that
> decrypts the stream.
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
[jira] [Commented] (GUACAMOLE-880) Obfuscation of guacamole client protocol
[ https://issues.apache.org/jira/browse/GUACAMOLE-880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16930049#comment-16930049 ] Michael Jumper commented on GUACAMOLE-880: -- My understanding is: # It is possible to generate an image which encodes arbitrary data graphically, and to retrieve that data from that image. # Libraries exist for parsing Guacamole protocol data, which inherently contains graphics. # It is therefore possible to encode arbitrary data such that Guacamole will transmit it graphically, parse the Guacamole protocol using an available library, and ultimately decode that data. Am I missing something above? > Obfuscation of guacamole client protocol > > > Key: GUACAMOLE-880 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-880 > Project: Guacamole > Issue Type: Wish > Components: guacamole-client, guacamole-server >Reporter: Bolke de Bruin >Priority: Major > Labels: security > > One of the reasons we deploy guacamole is to limit data leakage > possibilities. We recently had a audit on our infrastructure and it was shown > that it was quite easy to leak out data through the guacamole protocol by > creating special images inside the desktop and then using mitmproxy (python) > and the guacamole python modules to capture the data inside those images. > In order to limit the attack surface we would like to have obfuscation of the > protocol if configured to do so. Of course this could be done by implementing > a custom protocol, but it would be nice if Guacamole would have the > facilities (hooks) to do this. One could think of allowing a custom function > to encrypt/obfuscate the outgoing stream and attach into the javascript that > decrypts the stream. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (GUACAMOLE-880) Obfuscation of guacamole client protocol
[ https://issues.apache.org/jira/browse/GUACAMOLE-880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16930045#comment-16930045 ] Bolke de Bruin commented on GUACAMOLE-880: -- For some more background on what is currently possible (and our penetration test actually went a bit further): https://rtheory.net/analysis/guac/ > Obfuscation of guacamole client protocol > > > Key: GUACAMOLE-880 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-880 > Project: Guacamole > Issue Type: Wish > Components: guacamole-client, guacamole-server >Reporter: Bolke de Bruin >Priority: Major > Labels: security > > One of the reasons we deploy guacamole is to limit data leakage > possibilities. We recently had a audit on our infrastructure and it was shown > that it was quite easy to leak out data through the guacamole protocol by > creating special images inside the desktop and then using mitmproxy (python) > and the guacamole python modules to capture the data inside those images. > In order to limit the attack surface we would like to have obfuscation of the > protocol if configured to do so. Of course this could be done by implementing > a custom protocol, but it would be nice if Guacamole would have the > facilities (hooks) to do this. One could think of allowing a custom function > to encrypt/obfuscate the outgoing stream and attach into the javascript that > decrypts the stream. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (GUACAMOLE-880) Obfuscation of guacamole client protocol
[ https://issues.apache.org/jira/browse/GUACAMOLE-880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16930024#comment-16930024 ] Bolke de Bruin commented on GUACAMOLE-880: -- Michael, Frankly, this feels like a paternalistic answer. I am quite aware what security through obscurity is, hence I named the subject of this issue “obfuscation” with the aim the limit the attack surface not to solve it. Obfuscation is _one_ of layers in security. It creates a hurdle so that a casual hacker is deviated to easier means rather than have script kiddy tooling available that makes it really easy to download large amounts of data. Also gathering from your answer “Use SSL” you don’t seem to understand the actual issue. While the brain can dissect information on a screen it is unable to download large amounts of data and spread this information as is. With GDPR and equivalents this is a real risk and businesses need to make it as difficult as possible (requirement by law) to ensure data leakage does not happen. Guacamole has easy means for data leakage available: it even provides a framework for it. While my suggested solution might not be the right thing, I would appreciate a proper discussion. A blanket “invalid” seems to ignore any real world applications. We don't mind putting in work ourselves, but we wanted it to benefit the community. Cheers > Obfuscation of guacamole client protocol > > > Key: GUACAMOLE-880 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-880 > Project: Guacamole > Issue Type: Wish > Components: guacamole-client, guacamole-server >Reporter: Bolke de Bruin >Priority: Major > Labels: security > > One of the reasons we deploy guacamole is to limit data leakage > possibilities. We recently had a audit on our infrastructure and it was shown > that it was quite easy to leak out data through the guacamole protocol by > creating special images inside the desktop and then using mitmproxy (python) > and the guacamole python modules to capture the data inside those images. > In order to limit the attack surface we would like to have obfuscation of the > protocol if configured to do so. Of course this could be done by implementing > a custom protocol, but it would be nice if Guacamole would have the > facilities (hooks) to do this. One could think of allowing a custom function > to encrypt/obfuscate the outgoing stream and attach into the javascript that > decrypts the stream. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (GUACAMOLE-880) Obfuscation of guacamole client protocol
[ https://issues.apache.org/jira/browse/GUACAMOLE-880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16930017#comment-16930017 ] Michael Jumper commented on GUACAMOLE-880: -- There is no level of obfuscation which would prevent the legitimate users of any remote desktop protocol from obtaining information from the graphical content of their own sessions, at least without making things unusable. Obtaining information from received graphics is exactly what the human brain does when it accesses a remote desktop. You cannot prevent this. Any to obfuscate things while still allowing the remote desktop to be usable would amount to [security through obscurity|https://en.wikipedia.org/wiki/Security_through_obscurity]. As far as ensuring that users external to a remote desktop session cannot capture the content of other sessions, Guacamole already supports this through encryption. It is expected that Guacamole deployments will use SSL/TLS in front of the web application in production. If needed in your use case, you can also enable SSL/TLS between the web application and guacd. > Obfuscation of guacamole client protocol > > > Key: GUACAMOLE-880 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-880 > Project: Guacamole > Issue Type: Wish > Components: guacamole-client, guacamole-server >Reporter: Bolke de Bruin >Priority: Major > Labels: security > > One of the reasons we deploy guacamole is to limit data leakage > possibilities. We recently had a audit on our infrastructure and it was shown > that it was quite easy to leak out data through the guacamole protocol by > creating special images inside the desktop and then using mitmproxy (python) > and the guacamole python modules to capture the data inside those images. > In order to limit the attack surface we would like to have obfuscation of the > protocol if configured to do so. Of course this could be done by implementing > a custom protocol, but it would be nice if Guacamole would have the > facilities (hooks) to do this. One could think of allowing a custom function > to encrypt/obfuscate the outgoing stream and attach into the javascript that > decrypts the stream. -- This message was sent by Atlassian Jira (v8.3.2#803003)
