[Dshield] How secure IS GoToMyPC?

M Cook dshieldlists at versateam.com
Thu Jun 17 20:15:05 GMT 2004

If I'm not mistaken, GoToMyPC has been purchased by Citrix, so it isn't 
exactly a fly-by-night outfit. Not that big companies are immune from 
encounters with malicious software or people, but at least one might 
assume Citrix would try to protect its name.

They claim that the connections are encrypted. In other words, they talk 
a good game. I'd like to audit the encryption, to see if they really do 
set up a tunnel which they can't intercept, or if they are by definition 
the "man in the middle" (which I think is likely) with access to the 
unencrypted stream.

The primary functionality is to give an operator the ability from afar 
to control a PC. Yes the PC being controlled is inside the firewall and 
the operator likely outside. On the other hand, the primary thing 
traveling through the firewall is screen and possibly printer output, or 
keyboard, and mouse input. To cause problems, a malicious file would 
have to be uploaded via a file tranfer, then executed. While the 
uploading would take place over the encrypted channel, once the file hit 
the file system the AV software could check it. That doesn't mitigate 
that risk completely, and we can all think of openings for nasty things, 
but it is much different from a PC outside the firewall becoming a part 
of the network via a VPN. Perhaps there's a way to turn off the file 
transfer capability -- that would also make it difficult to download, 
say, an Access database containing company secrets or private healthcare 
information, along with making it slightly harder to upload malware. (Of 
course malware could be donloaded via the PC's web browser too from the 
public Internet, unless that sort of thing is blocked at the firewall.)

I agree that a well designed web application can handle all the 
authentication and encryption issues directly while opening none of the 
vulnerabilities we can envision. On the other hand, GoToMyPC isn't quite 
as bad as others on the list have implied. Almost, but not quite.

Alan Frayer wrote:

> I have a potential client who has been suggesting they want to remotely 
> access critical data using GoToMyPC, rather than placing the data in a 
> web-accessible, password-protected read-only database.
> Which approach to accessing the data remotely would be more secure? Am I 
> missing something?

More information about the list mailing list