enable SSL on web.rustdesk.com

[itamarjp]

Can you make web.rustdesk.com acessible using https ?

[rustdesk]

It is not we do not want.

Actually it requires a lot of efforts for us, because if change to https, we also need change ws (websocket) to wss. To support global users, we have 3 rendevous servers, 8 relay servers (though all are very cheap ones) across the world. It means we need to add SSL to all of these servers, and assign dns name to the relay servers (currently we use ip directly for convinence).

web.rustdesk.com is still in beta or experimental stage, I think web socket with wasm is not a good solution because of not good performance, we may change to webrtc solution in the future.

And, our connection (websocket) is encrypted in the same way as desktop / mobile connection.

Above may be excuses from your perspective. Looking forward to your understanding.

[simeononsecurity]

SSL and WSS are standards for a reason.
We are talking about remote access to a system here. Any attack vector that is known should be handled or at the very least mitigated. SSL certs and DNS are easy. This configuration might be acceptable in a self hosted situation. But even for a product in beta, it's a public one and the official one. This needs to be implemented at the very least as a good faith measure. Defense is in depth, not doing the industry considered bare minimum is severely frowned upon.

[simeononsecurity]

WSS may very well be somewhat slower. But SSL certs and DNS records for 11 hosts would take any junior administrator about an hour to implement with the right preparation.
I don't see the explanation as a valid excuse.
I see this and the community will see this as implementing a bare minimum configuration and not optional . Even in beta.

[elyazzi]

I agree with simeononsecurity on this issue. SSL can be a bit of a pain to initially setup but it is a big standard with plenty of documentation. Additionally, the improvements to security are enormous compared to the effort needed.

Security needs to be a priority on any remote access services. Especially on amazing services that are growing as fast as RustDesk.

[simeononsecurity]

@rustdesk

[TheCGDF]

Not only security problem. GFW of China often inspect and drop some http or ws packets so that it make requests be timeout, which makes it inconvenient for foreign users to interact with Chinese users. Https and wss have lower probability of being inspected and higher reliability.

[mwareman]

@rustdesk The SSL cert on https://web.rustdesk.com only contains a SAN for:

altnames='DNS:rustdesk.com'

This will be causing you LOTS of issues with SSL for any host other than the naked domain name (likely causing issues for the WSS connections as well).

There needs to be a second SAN in the certificate to work correctly for DNS:*.rustdesk.com so that all subdomains are covered. This will allow wss:// to work properly as well since without verifying the SAN to the hostname most modern browsers will deny the connection.

This is easily achieved and fully supported in Lets Encrypt.

[rustdesk]

wontfix since it is beta, let do it in next version.

[rustdesk]

updated to http://45.76.181.120:8080/#/ beause we enabled HSTS, http://web.rustdesk.com is not available any more.