On Aug 7, 2016 10:57 PM, "Adrien de Croy" <adrien@qbik.com> wrote: > > > looks like there were a few presentations on it at black hat USA 2016. > > Fundamentally the PAC file comes down in the clear, from an unverified source. > > Can use the DNS lookup facility to effectively log any URL that is presented to the function, thereby leaking querystrings and URLs for https URIs. > > Proxy auto detect is enabled by default in pretty much all browsers at the moment it seems. > > Firefox hat. Wpad is not enabled by default in firefox.. especially from use system settings in windows which is default there.. because of wpads security problems you need to opt in to it. Sorry for resend.. phone replied from a addr not subscribed 1st time > Adrien > > > ------ Original Message ------ > From: "Martin Thomson" <martin.thomson@gmail.com> > To: "Adrien de Croy" <adrien@qbik.com> > Cc: "Amos Jeffries" <squid3@treenet.co.nz>; "ietf-http-wg@w3.org" < ietf-http-wg@w3.org> > Sent: 8/08/2016 2:17:26 PM > Subject: Re: MITM and proxy messages [was: Call for Adoption: draft-song-dns-wireformat-http] > >> On 8 August 2016 at 12:05, Adrien de Croy <adrien@qbik.com> wrote: >>> >>> It's kinda crazy that browsers, which are supposedly so security-conscious >>> are still happy to download and evaluate javascript from some source they >>> don't really verify (e.g. result of DNS lookup for WPAD or DHCP option 252). >> >> >> I'm fairly sure that no browser wants to do that. The alternative >> must be worse though. >> > >
Received on Monday, 8 August 2016 23:39:14 UTC