Georgi Guninski wrote:
>I asked myself what would happen if I could register the name
>wpad.visitors.har2009.net?
>Well, I have done so. And I have setup an appropriate proxy that
>intercepts all traffic that passes this machine. After 24 hours, there
>were more than 800 different hosts using this malicious proxy server
>... That’s quite impressive as this are about 20 percent of the
>visitors!
[...]
[2]http://benjamin-schweizer.de/sniffing-http-traffic-at-har2009.html
Acting on this at the browser level would require severely castrating
the wpad protocol, without much security gain.
The conclusion is that it's the DNS server that should be wpad aware and
only allow an authentified administrator to register the wpad name, or
else there's a big security problem.
If we go this route, then maybe we can also add a way for the DNS server
to signal to the browser he implements this security, and wpad is secure.
But at another level, you can also think that it's not necessarily a lot
of an improvement if it's the har2009 admin who logs your traffic
instead of some random guy.
So the final conclusion it's that it's insecure transmission of sensible
information that should be eradicated, solving the root problem.
Maybe publicising this incident is a good way to increase recognition of
the importance of this issue.
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
