Re: Bug#765632: ForwardX11Trusted set to yes over a decade ago, for release reasons?
On Aug 20 2015, Christoph Anton Mitterer <calestyo@scientia.net> wrote:
> On Wed, 2015-08-19 at 20:01 -0700, Nikolaus Rath wrote:
>> Until now, I did not know how much trust I'm actually putting into
>> the
>> remote server when using -X (on Debian). I'll probably continue to
>> use
>> it in the majority of cases (because the alternatively seems rather
>> useless), but in my opinion it would be great if it could be somehow
>> communicated to the user what -X really implies.
>
> Hmm the best thing would be if one could make X forwarding actually
> secure.
> I once proposed the idea[0] to e.g. use something like Xephyr as
> destination for any forwardings; probably at least one instance per
> host/user, possibly even per connection.
>
> The idea was that the client automatically spawns Xephyr as necessary
> (with options that e.g. forbid fullscreen, focus stealing, clipboard
> stealing, keylogging and that like).
>
> But at least to me it's not even clear whether Xephyr would really add
> security so that my idea works, or whether it basically just passes
> everything on (as X protocol) to the actual X server.
> So perhaps one would need something else,... like VNC... X forwarding
> drawn to jpegs ;-)
Spawning a VNC server sounds like a great idea to me. I hope you can
find some time to work on it - you'd make a vast amount of systems a lot
more secure instantly.
Best,
-Nikolaus
--
GPG encrypted emails preferred. Key id: 0xD113FCAC3C4E599F
Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F
»Time flies like an arrow, fruit flies like a Banana.«
Reply to: