This article is more than 1 year old
Wait, what? Citrix Receiver sessions run on crocked crypto!
Fixed now, as Receiver 4.12 for Windows deprecates unsound ciphers, if you want
The basic premise of the Citrix products-formerly-known-as Xen App and Xen Desktop is that they deliver applications and desktops more securely than is possible if you run them locally.
The prospect of those apps and desktops being snoop-able is therefore more than a little worrying.
News that Citrix Receiver, the app that lets you consume those apps and desktops, has until now used known-to-be-insecure encryption is therefore a mixed blessing.
The upside is that as of Receiver 4.12, available now, old, bad, crypto is deprecated. The new version of Receiver for Windows has added support for Datagram Transport Layer Security (DTLS) version 1.2, which supports Transport Layer Security 1.2 instead of the known-to-be-insecure version 1.1. Receiver 4.12 also deprecates eight TLS_RSA ciphers that Citrix admitted are “cryptographically weak”.
But if you want to keep running those old ciphers, feel free because Citrix allows you to do so, for the sake of backwards compatibility and with warnings about this being A Silly Thing To Do. And of course some won’t bother with the upgrade to 4.12.
Throw in the fact that Receiver is a grand way to work around Windows 10 S’s restrictions on apps from outside the Windows Store and this is an upgrade worth doing.
And an upgrade that may prove a hassle, as Receiver 4.9 for Windows is the current Long Term Service (LTS) release and landed in March 2018, but Citrix has a three-year lifecycle for LTS releases.
So get planning and/or patching, people, because with this news out of the bag someone, somewhere, will surely target this weakness. ®
Biting the hand that feeds IT
