NX Security (was [FreeNX-kNX] Re: got: "cannot create directory `/home/.nx'")

freenx at mikebell.org freenx at mikebell.org
Wed Oct 20 00:43:17 UTC 2004 

On Wed, Oct 20, 2004 at 02:02:00AM +0200, Kurt Pfeifle wrote:
> Which "SSL forwarding features"??

Apologies, tunneling. The feature which does not use an unencrypted
connection for the NX data, the exact details of whose operation I have
been trying to ascertain.

> They should better give up using NX altogether then.
> 
> I really pity those users "who don't feel comfortable with the NX 
> user".

So you feel pity for someone who doesn't feel comfortable with something
about which valid issues have been raised, with only the response
"that's not an issue, though I won't explain why."? You presumably also
feel pity for anyone who doesn't simply trust that ActiveX is a secure
browser technology. :)

_No one_ should feel comfortable with any program to a greater degree
than they understand it, or trust someone more knowledgable who does
understand it.

NX as a solution is very complicated, it crosses both machine boundaries
and local priviledge boundaries. Every user should be extremely
cautious about running it, the same as users should be cautious about
running sshd. I'm not saying that sshd is insecure, but because of the
task it does it has had to earn the trust people place in it with a lot
of people questioning every aspect of its operation. This is a GOOD
THING.

Finally, I'd like to point out that while that news post you pointed out
does say the problem with ssh forwarding has been fixed as of about 2
months ago, that necessarily implies that everyone running the software
BEFORE that point was open to be used as an anonymous relay for any TCP
traffic someone with their host key might desire. Maybe that was the
only such problem with NX, but one should never need more reason than this
to be at least a little suspicious! And it most assuredly proves without
a shadow of a doubt that NX does /not/ simply have the security of ssh!
Since merely running ssh only my system does not leave my vulnerable to
such exploitation, NX has introduced a new vector of attack on my
system, at least for anyone possessing the host key in question.

More information about the FreeNX-kNX mailing list