mstshash is set to the username

[hedwigz]

The Client X.224 Connection Request has a field routingToken which is optional. FreeRDP sets this value to the username (code). Since this message is sent before the connection is encrypted, it potentially leaks usernames to the network.

I tested to see whether mstsc sets this field to the username and I found that it does not

[akallabeth]

https://www.loadbalancer.org/blog/microsoft-drops-support-for-mstshash-cookies/

[akallabeth]

https://learn.microsoft.com/en-us/answers/questions/1181179/in-windows-11-rdp-can-you-stop-it-from-sending-rou

[hedwigz]

@akallabeth what do you think is the right action here?

[akallabeth]

@hedwigz good question.
so far the old behavior is working fine so far (except for the public username) with old and new systems.
if we change this, at least stuff before 2012 might break.

[hedwigz]

@akallabeth how about an opt-out command line argument? /remove-mstshash

[akallabeth]

not sure a commandline is a good idea for such stuff.
should be handled automatically the best way possible (the command line already is a monster)