DO Ideas 2

Encrypted noVNC sessions

Currently the noVNC console available for each droplet is not encrypted (it uses a noVNC connection through ws:// instead of wss://), this should be encrypted so that access to the VNC console is secure from anywhere (not possibly leaking root password or other info).

  • Cedric
  • Sep 11 2018
  • Shipped
  • Attach files
  • Moisey Uretsky commented
    September 11, 2018 19:02

    The SSL fix has been deployed so all console access communication is now secured via SSL.

    Thanks!

  • Moisey Uretsky commented
    September 11, 2018 19:02

    We're working on a fix for this currently, SSL is being passed all the way through but FireFox is more restrictive so we've dug up another bug there that we are looking into.

  • jacob berry commented
    September 11, 2018 19:02

    After reading Jack's comment, I modified the network.websocket.allowinsecureFromHTTPS to be equal to true and the console worked (In Firefox). So, confirmation that is the issue!

    Tested on: Mozilla/5.0 (X11; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0

  • Anonymous commented
    September 11, 2018 19:02

    VNC has a password length limit of 8 characters.

  • Moisey Uretsky commented
    September 11, 2018 19:02

    Hey Jack,

    I was wondering did you have a chance to confirm that its a lack of SSL encryption that's causing the firefox bug?

    Thanks,
    Moisey

  • Jack Hamer commented
    September 11, 2018 19:02

    This is causing Firefox not to accept the websockets connection, effectively not working at all. The temporary fix is to make this change in about:config :

    network.websocket.allowInsecureFromHTTPS = true

  • Cedric commented
    September 11, 2018 19:02

    Ideally, the generated noVNC password could be a bit longer as well.
    They are currently generated to be 8 characters long with what seems to be a passogva-like algorithm (to make them easy to remember for humans, reducing the keyspace when it should rather be as long as possible with numbers and special chars etc...)