On Mon, 2016-05-09 at 14:35 +0200, Bjørn Mork wrote:
David Woodhouse <dwmw2 infradead org> writes:There are users in corporate networks who *have* to use the proxies, because direct connections to the outside world don't work.Yes, and those networks will use DHCP to configure proxies. Anything else would be crazy.
Yeah, because corporate IT is *never* crazy. :) I am fairly sure that our lot *don't* advertise the proxy with option 252. I also suspect I'd get nowhere in *asking* them to, since it isn't required for Windows. I suppose I could try; they are actually quite good these days. But even if I fix it for my own users, that doesn't solve the general case. I already *had* a hackish solution in a NM dispatcher script to automatically detect being on *our* corporate network and prod the right configuration into PacRunner. And we *need* the general case to be solved. Because until PacRunner/libproxy actually gives sane results in a reliable fashion, I don't get to change distro packaging guidelines to read "Thou shalt use libproxy by default". And without things actually *using* it, none of this stuff actually makes any difference at all :)
Sure, a rogue network could still advertise intel.com in the search domains in its DHCP response, and provide its own PAC content. But then again, it could have just given you a DHCP option 252. Once the attacker has *that* much control, I think you lost the game already.Yes, a rogue network is one thing. No way to protect yourself there of course. The problem with using DNS for proxy config is that you aren't even safe on a trusted network, unless you are very careful about which domain names you use. Most users won't know that their choice of host name might have security implications. Because it shouldn't.
True. But we're not talking about *always* using the corporate wpad when we're outside the corporate network — only when the local DHCP server actually give $COMPANY.com in the list of DNS search domains. And yes, a rogue network *could* do that... but as noted, we lose that game anyway. -- dwmw2
Attachment:
smime.p7s
Description: S/MIME cryptographic signature