Hi Nick,
Very well explained and thanks for the detailed information.Yes. I can say
that SSL inspection is definitely turned on cause the SSL certificate presented
is from ZScaler not from my web server.As such, they do have means to hijack
the authentication using tokens. But I guess it will only be effective on the
validity of session for e.g.With 2FA will be harder to create new sessions once
the old one expires.
Thanks and Regards,Don
On Tuesday, 6 December 2022 at 10:36:39 am SGT, Nick Couchman
<vn...@apache.org> wrote:
On Mon, Dec 5, 2022 at 9:20 PM Michael Jumper <mjum...@apache.org> wrote:
>
> On Mon, Dec 5, 2022 at 5:35 PM Don Eugene Paul Viado
> <depa...@yahoo.com.invalid> wrote:
>>
>> Hi,
>>
>> If the guacamole is accessed from a transparent proxy environment e.g.
>> (About SSL Inspection | Zscaler)
>> May I know what kind of information can be extracted or replayed? Does
>> guacamole support perfect forward secrecy on sessions?
>> Is there possibility to see in clear the user sessions or worst access the
>> guacamole without authentication?
>> I assume that in such case it will be limited to the session that was
>> captured and is not able to compromise the entire Guacamole without proper
>> authentication and 2FA?
>> Hope someone can provide more inputs how to better tighten the security in
>> Guacamole in such kind of environments.
>
>
> Guacamole relies on SSL/TLS for security of the connection to the server. You
> should not use _any_ web application in an environment where you cannot trust
> TLS.
>
> I don't believe there is any countermeasure that could be developed that a
> corporate firewall vendor would not eventually work around. TLS is already
> designed to do exactly this.
>
Just to add a bit more context to this, as my Day Job uses Zscaler,
let's be clear about what capabilities of Zscaler we're talking about:
* Transparent Proxy - aka Zero Trust, is the VPN Replacement
functionality of Zscaler, and simply proxies traffic between a remote
endpoint (client laptop/desktop/phone) and internal, protected
resources (servers, applications, etc.). I'm sure there are a variety
of configurations that can be done with this, but my Day Job
configuration does NOT do interception of SSL traffic between the
client endpoints and protected, internal resources. This means my
Guacamole sessions are not intercepted and decrypted by Zscaler.
Again, I'm sure there are a variety of configurations, but just
because a company is using Zscaler as a zero-trust, VPN replacement,
does not mean that it is decrypting all of that traffic.
* SSL Inspection - This is generally done for malware protection and
legal compliance, and involves the Zscaler service intercepting HTTPS
(SSL/TLS) traffic, and decrypting it, inspecting it, and then
re-writing it. This would mean that the intermediate system (Zscaler)
would have access to the unencrypted Guacamole traffic, including
keystrokes and mouse movement, credentials, and image data returned
from the remote system. As Mike points out, Guacamole relies on you
being able to trust the entire SSL/TLS chain, so if you can't trust
Zscaler's SSL Inspection, you can't trust the connection. I'm sure
Zscaler has policies about what is done with the intercepted sessions
and data, as there would be a lot of sensitive data that would pass
through SSL inspection (banking, PII, government, etc.).
THAT SAID - there are a couple of things to caveat this with:
* Just because SSL inspection is being done does not mean that the
authentication mechanisms of Guacamole would be bypassed. Someone
abusing/exploiting the Zscaler intermediate system would still have to
obtain the credentials and log in to the remote Guacamole server, and
then have the credentials for the remote system and log in to that.
Yes, they'd be able to obtain those credentials, or watch the traffic
passing back-and-forth, but just because there is some MITM (legit or
otherwise) between client and Guacamole doesn't mean that all of the
authentication mechanisms are suddenly bypassed or ineffective. They
could potentially leverage other attacks - trying to inject data into
the session, or reuse an existing token - but those things are likely
going to generate disruptions that will become obvious and not allow
the attacker to remain hidden.
* SSL Inspection is not something that is generally 100% hidden. You
can see when this is happening by inspecting the certificate of the
remote server and making sure it is the one you expect and trust. When
Zscaler does SSL inspection, it has to *replace* the certificate
presented to the client with one that it generates on its own. Other
SSL inspection (DPI) solutions do the same thing - in my previous life
we used Palo Alto's SSL inspection mechanism, and it worked exactly
the same way. The up-shot is that, if you look at the SSL certificate
for the Guacamole server on the client (browser) side, you'll see
evidence of the SSL inspection in the form of a wildcard certificate
issued by Zscaler (Palo Alto, etc.) instead of the specific
certificate for your Guacamole server. A lot of companies (like the
one I work for) install the Zscaler wildcard as a trusted certificate
on all of the systems that they deploy so that users won't be bothered
with warnings about insecure sites, but you can still see it if you
look. Obviously teaching your users to go look may not be what you
want to do, but the point is that there is something that indicates
that a certificate switch has been made.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org
