David Woodhouse <[email protected]> writes: > On Fri, 2016-04-29 at 22:20 +0200, Bjørn Mork wrote: >> >> > Implementing WPAD via DNS is not our priority now , it comes later >> >> Please don't. WPAD via DNS is a security nightmare. Have your friendly >> DNS resolver operator send over some query logs for wpad host names, and >> you'll quickly realize that there is no end to the attack vectors. > > Nevertheless, if we want this stuff to Just Work for us as well as it > does for Windows users, then I strongly suspect we're going to have to > do *something* with WPAD — horrendously scary though it may be.
It doesn't work for Windows users. For most of them it is just an ignorable, but unnecessary delay. For others, it is the way their web traffic is intercepted by the bad guys... But neither group of users will be aware of the problem, so they don't complain. This does not mean that WPAD via DNS works. Most Windows users end up asking for "wpad.", or "wpad.local" or similar based on what they decided to call their PC. The best they can hope for is that none of the requested wpad names exist. Worst case is that they actually hit a registered domain, and it has an evil wpad entry. I don't see how you can possibly automatically detect/fix that. How do you intend to verify the domain name the user selected? How do you intend to verify the proxy config sent back? And if the goal is to make NM behave like Windows: Does that mean replicating the idiotic requests for a toplevel "wpad.", or clearly bogus "wpad.local" too? If that is really the intention, then I'm going to shut up now. Else, I ask that you reconsider what your claim "Just Work for us as well as it does for Windows users" implies. > Perhaps — eventually — we might get a pop-up telling the user that > we've discovered a proxy configuration, and *asking* if they want to > use it (just this one / whitelist forever). Although I don't like that > much. Users won't know how to verify a discovered proxy config. If the config you discovered is truly evil, then it will probably be obfuscated as well. Most users won't even know where to start reading a javascript function. Bjørn _______________________________________________ networkmanager-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/networkmanager-list
