Re: Proxy detection for IPv6 vs. Legacy IP



David Woodhouse <dwmw2 infradead org> writes:

On Fri, 2016-04-29 at 22:20 +0200, Bjørn Mork wrote:

Implementing WPAD via DNS is not our priority now , it comes later

Please don't.  WPAD via DNS is a security nightmare.  Have your friendly
DNS resolver operator send over some query logs for wpad host names, and
you'll quickly realize that there is no end to the attack vectors.

Nevertheless, if we want this stuff to Just Work for us as well as it
does for Windows users, then I strongly suspect we're going to have to
do *something* with WPAD — horrendously scary though it may be.

It doesn't work for Windows users. For most of them it is just an
ignorable, but unnecessary delay.  For others, it is the way their web
traffic is intercepted by the bad guys... But neither group of users
will be aware of the problem, so they don't complain.  This does not
mean that WPAD via DNS works.

Most Windows users end up asking for "wpad.", or "wpad.local" or similar
based on what they decided to call their PC.  The best they can hope for
is that none of the requested wpad names exist.  Worst case is that they
actually hit a registered domain, and it has an evil wpad entry.  I
don't see how you can possibly automatically detect/fix that.  How do
you intend to verify the domain name the user selected?  How do you
intend to verify the proxy config sent back?

And if the goal is to make NM behave like Windows:  Does that mean
replicating the idiotic requests for a toplevel "wpad.", or clearly
bogus "wpad.local" too?

If that is really the intention, then I'm going to shut up now.  Else, I
ask that you reconsider what your claim "Just Work for us as well as it
does for Windows users" implies.

Perhaps — eventually — we might get a pop-up telling the user that
we've discovered a proxy configuration, and *asking* if they want to
use it (just this one / whitelist forever). Although I don't like that
much.

Users won't know how to verify a discovered proxy config.  If the config
you discovered is truly evil, then it will probably be obfuscated as
well. Most users won't even know where to start reading a javascript
function.


Bjørn


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]