[X2Go-User] RHEL 7 beta

GZ Nianguan E.T. opensource at gznianguan.com
Wed Mar 19 11:46:57 CET 2014


Yes there is indeed a chance of exploiting holes in codecs etc...
but hows that any bigger issue than it is for EVERY user in the world 
that views video on their desktop anyway?  This is certainly not a 
bigger concern on a netbooted stateless thin client than it would be on 
your average desktop setup, now is it?

Sure... a transcoder can be thrown into "the mix" but that kind of goes 
a against the basic core idea of being gentle with the server side 
resources.
But who is to say the transcoder would not be the actual target for 
attack..?

Security issues with codecs tend to get fixed just as security holes in 
SSH related stuff tend to be taken care of...
Quite frankly I would be just as concerned about security holes in the 
nxproxying and pulse audio... (and i seem to remember some very real and 
very serious cupsd issues some time ago...)

Just simply always get the latest security updates for the stuff your 
running....

In use cases with need for extreme security, you would probably not want 
to be trusting your "graphical firewall" client software either, to be 
running on your sensitive hardware.

If your in possession of something that someone with resources really 
wants... and your targeted... you targeted... and your "graphical 
firewall" could turn into their entry point... be it X2Go, RDP, Citrix 
or VNC or what ever else...

Anyway, do not worry! You will not be forced to run Telekinesis or 
mTelePlayer... it will be a separate package you would need to 
explicitly install.



-GZNGET


On 03/19/2014 08:47 AM, Stefan Baur wrote:
> Am 19.03.2014 08:21, schrieb GZ Nianguan E.T.:
>> As for client side requiring support for the media format...
>> The alternative is turn everything into a "known" format on the server
>> side...(transcoding?) which is just takes too much server resources...
>> and introduces a bunch of other issues...  In a linux thin client
>> environment distributing new codecs or update to existing codecs is not
>> a big deal.. As for clients running as an application on traditional
>> desktops, we may integrate some form of codec distribution system.
>
> There is a security tradeoff here, though:
> For the average Joe, who just wants to play videos and doesn't care
> about security, your solution will work just fine, but if you're using
> X2Go as a "graphic firewall", where only images and sounds are passed to
> the client, you cannot use Telekinesis, since you're running an
> unchanged audio/video stream - and there have been exploits that work by
> passing a specially crafted image file/audio/video stream. So all of a
> sudden you're executing malicious code on your client. Transcoding into
> a known format would lower the chance of that happening (because the
> attacker would have to craft his file/stream in a way that it does its
> nasty deed *after* being transcoded), but it would not eliminate it
> entirely.
>
> -Stefan
>





More information about the x2go-user mailing list