Shadow Transport Security

Thank you Lily.  I saw that KB article. 

This ‘proprietary’ tunnel they reference hints at being encrypted, but doesn’t say they use encryption.  It sounds like they are just relying on obfuscation to protect confidentiality.  This isn’t a strategy that has historically worked for anyone in computing. 

They state that they will eventually go to a “single key” system using an SSL certificate.  I hope this is TLS due to the deprecated state of SSL.  Until this occurs, we should consider our communications to have weak confidentiality with a higher risk of exposure.

I would be ecstatic to be wrong, and would love for Shadow to explain this in greater detail

Yes Jim you’re absolutely correct. I could spin up an instance of Security Onion and packet capture away. I could spend a few days plugging away at it… or I could just look at the company I’m doing business with and ask that they be a little more forthcoming on the real security around their data transport and give us at least a quarter estimation of deploying encryption. 
 

It isn’t the 1990s and sending sensitive information over the internet with some level encryption is almost expected. A company providing IAAS should be able to answer these questions with a measure of detail and not require their customers to “do the work”. 
 

I feel you’re response is really more aimed at trying to shut down my question. 
 

I like the service greatly. But I feel we need to understand these elements of it to properly gauge the risk and act accordingly. It’s not really going to change how I use the service. But if you do your banking on a Shadow, you might want to reconsider. 

Jim,

I assumed Shadow frequented these forums and answered questions. I am seeking a little more information than is provided in their KB article. I, and many other professionals, routinely engage other vendors in this same manner when seeking further information. It is one of the reasons companies maintain a presence in forums they sponsor about their products. Look at the Cisco, Microsoft, Red Hat, RSA, etc company forums. 
 

I’m honestly not trying to stoke my own ego. Shadow hints at a tunnel “like a VPN”. They claimed that the proprietary protocol protects the data. It takes a good amount of grey matter to write your own protocol that performs as well as theirs does. I believe they can provide a little more clarity. 
 

As I’ve said. I use the service. Like the service. Will continue to use the service. But if I had a little more information I could better tailor how I use it. I don’t want to limit my use because I have unfounded fears due to a misunderstanding or incorrect assumptions.
 

@Neyland fair enough...that you didn’t react negatively to my constructive criticism shows you’re a person of good character, and you have my respect.

I don’t believe the Shadow technical personnel frequent these forums, at least from what I’ve seen here. It’s more of a user-to-user community, with some expert moderation from time-to-time.

I think you might get some traction by opening a support incident, and craft it in a way that you’d like more information from their professional staff about your specific questions.

Also, in looking at the CurrPorts (it’s basically a GUI for netstat) filtered output on the Shadow client processes, it doesn’t look like it’d take too much work to interrogate those flows. Doing that might invoke some specific questions to ask them about...

LOL nooo.  We use VDI but the infrastructure cost is pretty high when you are looking at maintaining unique storage for a large number of people.

With the pandemic pushing more WFH, we needed more quickly so we began to dynamically scale to Azure allowing Citrix to manage the machine deployment and tear down. 

Well Microsoft has their own virtual desktop service so we had out TAM set up a meeting to take a look and went through their dog and pony.  What we had was working, but it’s always good to know your options. 

At the end of that meeting our Citrix admin, my colleague, an I were “virtually” sitting around talking about the strengths and weaknesses of each platform. I brought up trying Shadow on a personal level. When you get a bunch of geeky guys in a room chewing on these topics you just naturally start to want to get your fingers in there and know more. 

I work in healthcare and I don’t think this would meet the HIPAA sniff test. ;)

I mentioned it again recently to my colleague and he was still skeptical and I didn’t have any more answers so I figured I could dig some.

Now for the brutal honesty. I’m to lazy. We have our home on the market. Trying to WFH, keep the house in “show ready state”, leave at any time with the kids and dogs… I just don’t want to go through the effort to really dig into it.   That’s 100% on me. I just thought they came here and might be able to drop some more info. 
 

As great as this service is and has given me more gaming flexibility, I still only have time once or twice a week. I’m good money for Shadow :)

if they don’t come here then I’ve wasted your time and withdraw my question. For some reason I was under a different impression.  
 

@Neyland Are you saying that Shadow is not encrypting our data as they have led us to believe? I’m asking as I have recently switched to using the Shadow Ghost as my only PC. That means I am now doing everything on my VM including banking, insurance, medical televisits, and other data sensitive activities from my Shadow  VM. If my data is not being encrypted and only obfuscated then I am going to have to get a lowend PC to use to do all of that and only use Shadow for gaming. That said I am very concerned as I have been doing my banking and all over Shadow for sometime now. If your speculation is true and Shadow/Blade has misrepresented their security protocols I have put my sensitive data at risk for some time.

If your initial answer was answered, please mark it as answered. Thanks)