Re: Proxy detection for IPv6 vs. Legacy IP

David Woodhouse <dwmw2 infradead org> writes:

On Mon, 2016-05-09 at 14:21 +0200, Bjørn Mork wrote:

And if the goal is to make NM behave like Windows:  Does that mean
replicating the idiotic requests for a toplevel "wpad.", or clearly
bogus "wpad.local" too?

If that is really the intention, then I'm going to shut up now.  Else, I
ask that you reconsider what your claim "Just Work for us as well as it
does for Windows users" implies.

There are users in corporate networks who *have* to use the proxies,
because direct connections to the outside world don't work.

Yes, and those networks will use DHCP to configure proxies.  Anything
else would be crazy.

Sure, a rogue network could still advertise in the search
domains in its DHCP response, and provide its own PAC content. But then
again, it could have just given you a DHCP option 252. Once the
attacker has *that* much control, I think you lost the game already.

Yes, a rogue network is one thing. No way to protect yourself there of

The problem with using DNS for proxy config is that you aren't even safe
on a trusted network, unless you are very careful about which domain
names you use.  Most users won't know that their choice of host name
might have security implications.  Because it shouldn't.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]