Re: MITM and proxy messages [was: Call for Adoption: draft-song-dns-wireformat-http]

On Aug 7, 2016 10:57 PM, "Adrien de Croy" <adrien@qbik.com> wrote:
>
>
> looks like there were a few presentations on it at black hat USA 2016.
>
> Fundamentally the PAC file comes down in the clear, from an unverified
source.
>
> Can use the DNS lookup facility to effectively log any URL that is
presented to the function, thereby leaking querystrings and URLs for https
URIs.
>
> Proxy auto detect is enabled by default in pretty much all browsers at
the moment it seems.
>
>

Firefox hat.

Wpad is not enabled by default in firefox.. especially from use system
settings in windows which is default there.. because of wpads security
problems you need to opt in to it.

Sorry for resend.. phone replied from a addr not subscribed 1st time

> Adrien
>
>
> ------ Original Message ------
> From: "Martin Thomson" <martin.thomson@gmail.com>
> To: "Adrien de Croy" <adrien@qbik.com>
> Cc: "Amos Jeffries" <squid3@treenet.co.nz>; "ietf-http-wg@w3.org" <
ietf-http-wg@w3.org>
> Sent: 8/08/2016 2:17:26 PM
> Subject: Re: MITM and proxy messages [was: Call for Adoption:
draft-song-dns-wireformat-http]
>
>> On 8 August 2016 at 12:05, Adrien de Croy <adrien@qbik.com> wrote:
>>>
>>>  It's kinda crazy that browsers, which are supposedly so
security-conscious
>>>  are still happy to download and evaluate javascript from some source
they
>>>  don't really verify (e.g. result of DNS lookup for WPAD or DHCP option
252).
>>
>>
>> I'm fairly sure that no browser wants to do that.  The alternative
>> must be worse though.
>>
>
>

Received on Monday, 8 August 2016 23:39:14 UTC