Re: Proxy detection for IPv6 vs. Legacy IP



David Woodhouse <dwmw2 infradead org> writes:

On Mon, 2016-05-09 at 14:21 +0200, Bjørn Mork wrote:

And if the goal is to make NM behave like Windows:  Does that mean
replicating the idiotic requests for a toplevel "wpad.", or clearly
bogus "wpad.local" too?

If that is really the intention, then I'm going to shut up now.  Else, I
ask that you reconsider what your claim "Just Work for us as well as it
does for Windows users" implies.

There are users in corporate networks who *have* to use the proxies,
because direct connections to the outside world don't work.

Yes, and those networks will use DHCP to configure proxies.  Anything
else would be crazy.

Sure, a rogue network could still advertise intel.com in the search
domains in its DHCP response, and provide its own PAC content. But then
again, it could have just given you a DHCP option 252. Once the
attacker has *that* much control, I think you lost the game already.

Yes, a rogue network is one thing. No way to protect yourself there of
course.

The problem with using DNS for proxy config is that you aren't even safe
on a trusted network, unless you are very careful about which domain
names you use.  Most users won't know that their choice of host name
might have security implications.  Because it shouldn't.


Bjørn


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]