Package: remmina-plugin-nx Version: 1.0.0-6 Severity: important
Hi. A recent discussion[0] at turned (to my very big suprise) out, that NX/X2Go doesn't work like VNC/RDP (i.e. that it more or less sends the pixbuffers which are locally drawin), but rather that there is some direct injection of the remote's X clients X protocol into the local X server. At upstream it was compared with running "ssh -X" respectively plain X forwarding (after some xauth)... As we all know, plain X forwarding has many serious security implications, which basically means that no sane person will/should ever use it unless the remote host is fully trusted. To my understanding, this is typically not the case with VNC/RDP/NX... people often use it to connect to systems out of their control. Moroever, I guess many people expect NX to work conceptually more like VNC/RDP, i.e. just drawing images (in a very sophisticated way), which is probably more secure[1] than directly going into the X server. a) I started a discussion upstream, whether one could make this somehow better/more secure (my poor man's understanding would be that using a nested X server (like Xephyr) for the communication with the remote NX could perhaps help - but that's just guessing)... but it will at least take a lot of time until anything comes out there (if at all). b) To tell people about what really happens, I think the Debian package should include a warning in the package description, that NX/X2go technology is much more like plain X forwarding, with all its security implications. In the case of the remmina source package, this should go to: remmina-plugin-nx Thanks, Chris. [0] http://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=258 [1] Obviously secure for the local server - I don't talk about the network communication between remote and local server which is pretty bad for VNC/RDP, unless tunneled. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org