Re: Proxy detection for IPv6 vs. Legacy IP

On Mon, 2016-05-09 at 14:21 +0200, Bjørn Mork wrote:

And if the goal is to make NM behave like Windows:  Does that mean
replicating the idiotic requests for a toplevel "wpad.", or clearly
bogus "wpad.local" too?

If that is really the intention, then I'm going to shut up now.  Else, I
ask that you reconsider what your claim "Just Work for us as well as it
does for Windows users" implies.

There are users in corporate networks who *have* to use the proxies,
because direct connections to the outside world don't work.

That's the situation I'm referring to when I say that Windows Just
Works, and we want it to work for Linux/etc. users too.

You are absolutely right about the security concerns, and we definitely
don't want to just blindly do what Windows does. I should have been
more specific.

That's why I suggested a whitelist — in the specific case that I think
we want to care about, that's actually a reasonable answer. For my
users, that means that *if* is in your search domains, *then*
you can try — and nothing else.

I think a whitelist solves it, for the class of users (not just mine)
who really need this problem solved.

Sure, a rogue network could still advertise in the search
domains in its DHCP response, and provide its own PAC content. But then
again, it could have just given you a DHCP option 252. Once the
attacker has *that* much control, I think you lost the game already.


Attachment: smime.p7s
Description: S/MIME cryptographic signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]