<SNIP>
The browser is 100% unaware of the proxies existence and the page being
fetched from a different server than its TCP connection was sent to.
All the IP level security the browser uses to check same-origin is
bypassed silently. All the DNSSEC, IP-based firewall rules, etc which
the LAN administrator may have setup for that client to make use of are
also bypassed silently unless replicated in proxy config.
I'm not sure which of the two is more serious, but leaning slightly
towards the firewall bypasses being worse nowdays since browsers have
improved their checking a bit too along the same lines as the squid checks.
It is possible for a website JS (ie advert) to fetch a malicious page
using a benign TCP connection to a safe IP address and a Host: with
malicious server name. The result corrupts the browser cache with a
phishing-style page and gives open access to any private details
(credentials, cookies, local browser state) to the malicious website
server.
The only real solution is to avoid using an interception or transparent
proxy completely (or use it only to bounce clients to a "how to
configure your browser" page as per the ZeroConf wiki example). But the
3.2 changes raise the difficulty for attackers and go a long way towards
avoiding collateral damage to the rest of the LAN clients from such
attacks.
Amos
Thanks Amos,
I wasn't sure that I got it right but it seems like my logic was right
after all.
But if anyone do use firewall + intercept proxy he will most likely will
manage the proxy acls to match the local security policy else then the
firewall.
Regards,
Eliezer
--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
