You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by m99 <ca...@ctc.com> on 2018/09/25 14:31:05 UTC
Re: Guacamole - Forcing full remote frame buffer update all the
time instead of incremental
"What do you mean by this? Inspect/process it how? For what purpose?"
"How does this relate to your need for full-frame updates?"
Our requirement is to ensure all screen images sent to the end user in the
Web browser have undergone a jpeg lossy compression (regardless of
performance). This can be achieved by changing Guacamole to force jpeg
encoding, thus to ensuring the jpeg lossy compression.
Our patch to Guacamole 0.14 adds a new configuration option for the build
(--enable-force-jpeg=yes; default is no). This patch adds an ifdef to the
surface.c file to force jpeg encoding all the time if enabled during
configure with this new option.
Our original thought was first to perform a jpeg lossy compression on the
actual frame buffer first (which we believed required a full frame buffer
update all the time) then forwarding on to Guacamole, however this turned
out to be a much larger effort than originally anticipated.
We want to submit this patch to the Guacamole community for consideration to
improve the security posture. We understand this change is tailored for a
very specific use case, but as an optional configuration option, the impact
of the change is very minimal.
Is this patch something the Guacamole community would be interested in?
I've found the following link outlining the steps to submit a change to the
guacamole project, is this the process I
should follow to submit the patch for consideration?
https://github.com/apache/guacamole-server/blob/master/CONTRIBUTING
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole - Forcing full remote frame buffer update all the
time instead of incremental
Posted by m99 <ca...@ctc.com>.
"You are concerned that users within remote desktop will use steganography to
hide data within images as a means of transferring that data out of the
remote desktop environment?"
Yes, correct, this is what we want to prevent by performing the jpeg lossy
compression on the screen images.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole - Forcing full remote frame buffer update all the time
instead of incremental
Posted by Mike Jumper <mj...@apache.org>.
On Wed, Sep 26, 2018, 05:09 m99 <ca...@ctc.com> wrote:
> "The issue is not the size of the patch but the reason(s) for the patch. If
> the assertion is that forcing JPEG provides some security benefit, the
> benefit needs to be explained."
>
> Forcing JPEG lossy compression on every screen image sent from guacamole
> would help mitigate attempts of steganography within these images. This is
> the main goal of the patch we have implemented.
>
You are concerned that users within remote desktop will use steganography
to hide data within images as a means of transferring that data out of the
remote desktop environment?
- Mike
Re: Guacamole - Forcing full remote frame buffer update all the
time instead of incremental
Posted by m99 <ca...@ctc.com>.
"The issue is not the size of the patch but the reason(s) for the patch. If
the assertion is that forcing JPEG provides some security benefit, the
benefit needs to be explained."
Forcing JPEG lossy compression on every screen image sent from guacamole
would help mitigate attempts of steganography within these images. This is
the main goal of the patch we have implemented.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole - Forcing full remote frame buffer update all the time
instead of incremental
Posted by Mike Jumper <mj...@apache.org>.
On Tue, Sep 25, 2018, 07:31 m99 <ca...@ctc.com> wrote:
> "What do you mean by this? Inspect/process it how? For what purpose?"
> "How does this relate to your need for full-frame updates?"
>
> Our requirement is to ensure all screen images sent to the end user in the
> Web browser have undergone a jpeg lossy compression (regardless of
> performance). ...
>
> We want to submit this patch to the Guacamole community for consideration
> to
> improve the security posture. We understand this change is tailored for a
> very specific use case, but as an optional configuration option, the impact
> of the change is very minimal.
>
The issue is not the size of the patch but the reason(s) for the patch. If
the assertion is that forcing JPEG provides some security benefit, the
benefit needs to be explained.
> Is this patch something the Guacamole community would be interested in?
This will depend on the reasoning behind the change.
> I've found the following link outlining the steps to submit a change to the
> guacamole project, is this the process I
> should follow to submit the patch for consideration?
>
> https://github.com/apache/guacamole-server/blob/master/CONTRIBUTING
Yes, the link describes the correct process.
- Mike