4

I've been using Remmina to connect to my RDP server across the internet. When I first connected to the server, I had to accept the certificate. I have not had to do that since the first time I connected.

Now, after using this server for a long time, I get a "Certificate Changed! Details:" alert. It shows the Old Fingerprint, and the New Fingerprint. They are different.

Wondering why this is happening, and what the security implications are. Is it possible someone has accessed my server?

I have not changed any software configurations or even made any recent updates on either the server or the client device. This is consistent among other client devices that have also been used to connect to this server.

Doug
  • 41
  • 3
  • See this question. May be it halps: https://unix.stackexchange.com/questions/445613/cant-connect-to-remote-server-using-rdp-remmina-after-upgrade. – mentallurg Apr 21 '20 at 22:05
  • In the default configuration of any Windows system, a self-signed certificate is installed and renewed in regular intervals. On my Windows 10, the certificate is renewed every six months. This would cause such a warning. What operating system is running on your host? – Volker Apr 22 '20 at 12:21

2 Answers2

4

In my case, the previous certificate had expired, and the server generated a new one. I projected that this was the case based on the timing of the certificate change, compared to when the original certificate was created. I then verified that this was the case by accepting the new cert, logging in, and inspecting the certificate stored on the server, as well as server logs indicating these changes had taken place. The fingerprints matched.

As far as I can see, it would not be possible to verify this theory without accepting the new cert and logging in, unless you had another vector of access to the server, like a remote console (ssh, etc.) an ftp server, or perhaps a reverse shell.

If security is something you value in your connections to your RDP server, you should set the date of expiration on your certs manually, and/or put a reminder in your calendar.

If this had been a man-in-the-middle attack, and I had accepted the cert and logged in, the attacker would then have not only my login credentials, but also have full capturing ability for my session, and any future sessions in which I connect to the intercept server.

Of course, there is the slight chance that I have connected to an intercept server, and the attacker managed to either update the cert on my server between the time I logged-in, and the time I retrieved the server cert. Or perhaps the intercept server edited the graphic data being sent to my client RDP viewer, to match the fingerprint of the intercept server. Though I perceive these to be highly unlikely.

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
Dugg
  • 41
  • 1
  • That auto-renew w/ no warning or explanation from the server seems like an extremely poor security practice. It's hard to preach key verification when that's the norm. I have coworkers that have gotten so used to seeing that on Windows systems that they didn't think twice when they got the same kind of error in SSH, and went through a MITM for a couple of months before I pointed out what was going on. – Charles Boling Oct 01 '20 at 15:34
1

I had these same issues but my certificate hadn't changed. Remmina was reporting a sha265 fingerprint but it had the sha1 thumbprint stored. I was able to check the certificate's sha265 thumbprint with:

openssl x509 -noout -fingerprint -sha256 -inform der -in [exported-certificate]

mallocation
  • 1,668
  • 5
  • 20
Brendon
  • 11
  • 2