websockify icon indicating copy to clipboard operation
websockify copied to clipboard

Published 20 hours ago verified publisher icon novnc

ExpectOrigin as a cmdline option

Open sebstyle opened this issue 4 years ago • 2 comments

Imho ExpectOrigin should not be an authentication method but an option one can pass on the command line.

It adds another obstacle for a malicious user to overcome but should not be relied upon for authentication because Origin can be spoofed.

sebstyle avatar Jul 01 '20 16:07 sebstyle

websockify is more of a testing tool than a production ready system, so any authentication should be taken with some caution.

I don't think we should remove this, but we could put some comment on it about risks.

CendioOssman avatar Jul 02 '20 07:07 CendioOssman

Origin can be spoofed by a malicious program, but not by a webpage. This distinction is relevant to mitigating the following scenario:

  • The websockify server lives behind a firewall; it is not publicly accessible.
  • The user password for the service behind websockify (e.g. novnc) is compromised by an attacker.
  • The user of a computer on the private LAN opens a webpage controlled by the attacker. Now the attacker's page can connect to the websockified service if Origin has not been checked, and will authenticate.

The risks of operating websockify on a LAN without ExpectOrigin should not be understated. Obviously unsandboxed malware on the LAN can spoof Origin regardless, but this requires a browser exploit in the scenario described.

therontarigo avatar Jan 31 '23 20:01 therontarigo