- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Mon, 8 Aug 2016 13:34:52 +1000
- To: Adrien de Croy <adrien@qbik.com>
- Cc: Amos Jeffries <squid3@treenet.co.nz>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
I'm familiar with the attack; I assumed that you were referring to it. And yes, it's not great that we're leaking URLs. I expect that to be corrected (at least partially). But I'm not sure what your point here is. On 8 August 2016 at 12:49, Adrien de Croy <adrien@qbik.com> wrote: > > looks like there were a few presentations on it at black hat USA 2016. > > Fundamentally the PAC file comes down in the clear, from an unverified > source. > > Can use the DNS lookup facility to effectively log any URL that is presented > to the function, thereby leaking querystrings and URLs for https URIs. > > Proxy auto detect is enabled by default in pretty much all browsers at the > moment it seems. > > Adrien > > > ------ Original Message ------ > From: "Martin Thomson" <martin.thomson@gmail.com> > To: "Adrien de Croy" <adrien@qbik.com> > Cc: "Amos Jeffries" <squid3@treenet.co.nz>; "ietf-http-wg@w3.org" > <ietf-http-wg@w3.org> > Sent: 8/08/2016 2:17:26 PM > Subject: Re: MITM and proxy messages [was: Call for Adoption: > draft-song-dns-wireformat-http] > >> On 8 August 2016 at 12:05, Adrien de Croy <adrien@qbik.com> wrote: >>> >>> It's kinda crazy that browsers, which are supposedly so >>> security-conscious >>> are still happy to download and evaluate javascript from some source >>> they >>> don't really verify (e.g. result of DNS lookup for WPAD or DHCP option >>> 252). >> >> >> I'm fairly sure that no browser wants to do that. The alternative >> must be worse though. >> >
Received on Monday, 8 August 2016 03:35:26 UTC