On Mon, 2016-05-09 at 14:21 +0200, Bjørn Mork wrote:
And if the goal is to make NM behave like Windows: Does that mean replicating the idiotic requests for a toplevel "wpad.", or clearly bogus "wpad.local" too? If that is really the intention, then I'm going to shut up now. Else, I ask that you reconsider what your claim "Just Work for us as well as it does for Windows users" implies.
There are users in corporate networks who *have* to use the proxies, because direct connections to the outside world don't work. That's the situation I'm referring to when I say that Windows Just Works, and we want it to work for Linux/etc. users too. You are absolutely right about the security concerns, and we definitely don't want to just blindly do what Windows does. I should have been more specific. That's why I suggested a whitelist — in the specific case that I think we want to care about, that's actually a reasonable answer. For my users, that means that *if* intel.com is in your search domains, *then* you can try http://wpad.intel.com/wpad.dat — and nothing else. I think a whitelist solves it, for the class of users (not just mine) who really need this problem solved. Sure, a rogue network could still advertise intel.com in the search domains in its DHCP response, and provide its own PAC content. But then again, it could have just given you a DHCP option 252. Once the attacker has *that* much control, I think you lost the game already. -- dwmw2
Attachment:
smime.p7s
Description: S/MIME cryptographic signature