By default (in the absence of a CA-signed server certificate), RDP connections between Windows PCs rely on a trust-on-first-use (TOFU) model, where the client software displays a warning [1] before sending credentials to an untrusted server whose certificate hash is not pinned to the registry [2]. The Remote Desktop client for iOS used to work like the Windows client in this respect [3], but at some point in the last few years, it stopped checking server certificates altogether. This is a security risk, because Windows credentials could be intercepted by a man-in-the-middle. Is this behaviour actually intended? If it is, I would strongly suggest adding a setting to manually re-enable certificate validation for environments with higher security requirements. (In my testing, neither reinstalling the app nor using a FQDN to connect had any effect.) [1] https://i.sstatic.net/pu5YX.png [2] HKCU\SOFTWARE\Microsoft\Terminal Server Client\Servers\...\CertHash [3] https://nextpointhost.com/images/knowledgebase/how_to_access_forex_vps_via_rdc_using_iphone_or_ipad_6.PNG
... View more