Skip to main content
Version: v42

MITM Mitigations in Privx

PrivX connections are secured against man-in-the-middle (MITM) attacks. The exact protection methods are different for each connection protocol.

  • SSH: PrivX hosts are configured with a host key that authenticates the legitimate target. When opening connections to SSH targets, the target must present the same host key and a valid signature computed with the host key's private key. You can flag each host in PrivX with ToFu (trust on first use) and ToCH (trust on changed host key) options to control whether non-admin users can accept the initial / changed host key when connecting to targets.
  • HTTPS: TLS server certificates are verified using a set of trust anchor. The Carrier browser warns users when they try to connect to untrusted servers.
  • RDP: Target host certificates are verified using a set of trust anchors and previously-accepted host certificates. Users are warned about connecting to targets whose host certificates cannot be verified. In such cases, the user is prompted to accept or reject the connection. Accepted host certificates are stored in PrivX and used for validating subsequent connections to the host.
  • VNC: When VNC connection is tunneled inside SSH, the server identity is verified using the target's SSH host key. Note that with plaintext (untunneled) VNC connections, the server's identity is not verified due to VNC protocol design.
  • Database: PostgreSQL and MySQL server identities are verified using a set of trust anchors.