- From: Adrien de Croy <adrien@qbik.com>
- Date: Mon, 08 Aug 2016 02:49:01 +0000
- To: "Martin Thomson" <martin.thomson@gmail.com>
- Cc: "Amos Jeffries" <squid3@treenet.co.nz>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
looks like there were a few presentations on it at black hat USA 2016. Fundamentally the PAC file comes down in the clear, from an unverified source. Can use the DNS lookup facility to effectively log any URL that is presented to the function, thereby leaking querystrings and URLs for https URIs. Proxy auto detect is enabled by default in pretty much all browsers at the moment it seems. Adrien ------ Original Message ------ From: "Martin Thomson" <martin.thomson@gmail.com> To: "Adrien de Croy" <adrien@qbik.com> Cc: "Amos Jeffries" <squid3@treenet.co.nz>; "ietf-http-wg@w3.org" <ietf-http-wg@w3.org> Sent: 8/08/2016 2:17:26 PM Subject: Re: MITM and proxy messages [was: Call for Adoption: draft-song-dns-wireformat-http] >On 8 August 2016 at 12:05, Adrien de Croy <adrien@qbik.com> wrote: >> It's kinda crazy that browsers, which are supposedly so >>security-conscious >> are still happy to download and evaluate javascript from some source >>they >> don't really verify (e.g. result of DNS lookup for WPAD or DHCP >>option 252). > >I'm fairly sure that no browser wants to do that. The alternative >must be worse though. >
Received on Monday, 8 August 2016 02:52:33 UTC