In light of the discovered vulnerabilities in SSL/TLS, is legacy RDP encryption or SSL more secure?

0

Windows offers the option of using either RDP encryption or SSL (TLS 1.0) to secure a remote desktop connection. Which option is more secure?

Given the recent discoveries, is TLS 1.0 still secure in this use case?

This is the description Microsoft provides

  • RDP: The RDP method uses native RDP encryption to secure communications between the client and RD Session Host server. If you select this setting, the RD Session Host server is not authenticated.

  • SSL (TLS 1.0): The SSL method requires the use of TLS 1.0 to authenticate the RD Session Host server. If TLS is not supported, the connection fails.

UPDATE: I'm referring to the POODLE vulnerability discovered recently that TLS 1.0 is no longer secure

Shane

Posted 2015-02-26T20:36:51.797

Reputation: 11

Question was closed 2015-03-11T16:17:11.497

You have a misconception, POODLE does make TLS not secure. What it does is make the connection fail then your browser tries a older method to connect. It only demonstrates the dangers of allowing legacy SSL 3.0 connections. – Scott Chamberlain – 2015-02-26T22:03:31.133

Answers

2

I'm referring to the POODLE vulnerability discovered recently that TLS 1.0 is no longer secure

Poodle does not make TLS 1.0 not secure, what it does is make the TLS 1.0 connection fail and the browser falls back to the older less secure SSL 3.0 which does have vulnerabilities that can be exploited.

RDP will not fallback to SSL 3.0, it falls back to the proprietary RDP security protocol if you choose the option to negotiate the connection. If you set it to not negotiate and only allow TLS 1.0 connections you are unaffected by POODLE.

Scott Chamberlain

Posted 2015-02-26T20:36:51.797

Reputation: 28 923

https://technet.microsoft.com/en-us/library/security/3009008.aspx – Frank Thomas – 2015-02-26T21:35:57.550

@FrankThomas From your link "TLS 1.0, TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected." RDP uses TLS 1.0 or its own proprietary protocol. It NEVER uses SSL 3.0, and if you tell it not to it never uses the proprietary protocol either. – Scott Chamberlain – 2015-02-26T21:39:12.600

0

I assume the RDP security layer is less secure because SSL is preferred if you select the auto-negotiate method:

The most secure layer that is supported by the client will be used. If supported, SSL (TLS 1.0) will be used. If the client does not support SSL (TLS 1.0), the RDP Security Layer will be used.

See here:

Is windows remote desktop secure?

kuleszdl

Posted 2015-02-26T20:36:51.797

Reputation: 34

Asked: 2015-02-26T20:36:51.797

Viewed: 2 028 times

Active: 2015-03-01T10:18:39.183