[Dshield] How secure IS GoToMyPC?
dshieldlists at versateam.com
Thu Jun 17 20:15:05 GMT 2004
If I'm not mistaken, GoToMyPC has been purchased by Citrix, so it isn't
exactly a fly-by-night outfit. Not that big companies are immune from
encounters with malicious software or people, but at least one might
assume Citrix would try to protect its name.
They claim that the connections are encrypted. In other words, they talk
a good game. I'd like to audit the encryption, to see if they really do
set up a tunnel which they can't intercept, or if they are by definition
the "man in the middle" (which I think is likely) with access to the
The primary functionality is to give an operator the ability from afar
to control a PC. Yes the PC being controlled is inside the firewall and
the operator likely outside. On the other hand, the primary thing
traveling through the firewall is screen and possibly printer output, or
keyboard, and mouse input. To cause problems, a malicious file would
have to be uploaded via a file tranfer, then executed. While the
uploading would take place over the encrypted channel, once the file hit
the file system the AV software could check it. That doesn't mitigate
that risk completely, and we can all think of openings for nasty things,
but it is much different from a PC outside the firewall becoming a part
of the network via a VPN. Perhaps there's a way to turn off the file
transfer capability -- that would also make it difficult to download,
say, an Access database containing company secrets or private healthcare
information, along with making it slightly harder to upload malware. (Of
course malware could be donloaded via the PC's web browser too from the
public Internet, unless that sort of thing is blocked at the firewall.)
I agree that a well designed web application can handle all the
authentication and encryption issues directly while opening none of the
vulnerabilities we can envision. On the other hand, GoToMyPC isn't quite
as bad as others on the list have implied. Almost, but not quite.
Alan Frayer wrote:
> I have a potential client who has been suggesting they want to remotely
> access critical data using GoToMyPC, rather than placing the data in a
> web-accessible, password-protected read-only database.
> Which approach to accessing the data remotely would be more secure? Am I
> missing something?
More information about the list