IETF Logo Mail Archive

Re: MITM and proxy messages [was: Call for Adoption: draft-song-dns-wireformat-http]

"Adrien de Croy" <adrien@qbik.com> Mon, 08 August 2016 02:56 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10C2112D7B6 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 7 Aug 2016 19:56:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.168
X-Spam-Level:
X-Spam-Status: No, score=-8.168 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.247, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZKGGINOxBuPM for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 7 Aug 2016 19:56:44 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1438412D7B3 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 7 Aug 2016 19:56:44 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1bWagD-0000IB-27 for ietf-http-wg-dist@listhub.w3.org; Mon, 08 Aug 2016 02:52:41 +0000
Resent-Date: Mon, 08 Aug 2016 02:52:41 +0000
Resent-Message-Id: <E1bWagD-0000IB-27@frink.w3.org>
Received: from bart.w3.org ([193.51.208.80]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <adrien@qbik.com>) id 1bWag5-0000HQ-A0 for ietf-http-wg@listhub.w3.org; Mon, 08 Aug 2016 02:52:33 +0000
Received: from smtp.qbik.com ([122.56.26.1]) by bart.w3.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <adrien@qbik.com>) id 1bWafv-0001bJ-SW for ietf-http-wg@w3.org; Mon, 08 Aug 2016 02:52:26 +0000
Received: From [192.168.1.146] (unverified [192.168.1.146]) by SMTP Server [192.168.1.3] (WinGate SMTP Receiver v9.0.0 (Build 5848)) with SMTP id <0000796815@smtp.qbik.com>; Mon, 08 Aug 2016 14:49:01 +1200
From: Adrien de Croy <adrien@qbik.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Amos Jeffries <squid3@treenet.co.nz>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Date: Mon, 08 Aug 2016 02:49:01 +0000
Message-Id: <eme1f9a13f-b8ed-45e5-9d99-f6df15060d5a@bodybag>
In-Reply-To: <CABkgnnVpYiB39cfYhXFYrn_C3n_yktNM8ms7FsZj5LzzevQVEQ@mail.gmail.com>
Reply-To: Adrien de Croy <adrien@qbik.com>
User-Agent: eM_Client/6.0.24928.0
Mime-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=122.56.26.1; envelope-from=adrien@qbik.com; helo=smtp.qbik.com
X-W3C-Hub-Spam-Status: No, score=-4.9
X-W3C-Hub-Spam-Report: AWL=-0.551, BAYES_00=-1.9, RP_MATCHES_RCVD=-0.432, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: bart.w3.org 1bWafv-0001bJ-SW 6e2a262cb982ac41164d00a6c383a3f5
X-Original-To: ietf-http-wg@w3.org
Subject: Re: MITM and proxy messages [was: Call for Adoption: draft-song-dns-wireformat-http]
Archived-At: <http://www.w3.org/mid/eme1f9a13f-b8ed-45e5-9d99-f6df15060d5a@bodybag>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/32216
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

looks like there were a few presentations on it at black hat USA 2016.

Fundamentally the PAC file comes down in the clear, from an unverified 
source.

Can use the DNS lookup facility to effectively log any URL that is 
presented to the function, thereby leaking querystrings and URLs for 
https URIs.

Proxy auto detect is enabled by default in pretty much all browsers at 
the moment it seems.

Adrien


------ Original Message ------
From: "Martin Thomson" <martin.thomson@gmail.com>
To: "Adrien de Croy" <adrien@qbik.com>
Cc: "Amos Jeffries" <squid3@treenet.co.nz>; "ietf-http-wg@w3.org" 
<ietf-http-wg@w3.org>
Sent: 8/08/2016 2:17:26 PM
Subject: Re: MITM and proxy messages [was: Call for Adoption: 
draft-song-dns-wireformat-http]

>On 8 August 2016 at 12:05, Adrien de Croy <adrien@qbik.com> wrote:
>>  It's kinda crazy that browsers, which are supposedly so 
>>security-conscious
>>  are still happy to download and evaluate javascript from some source 
>>they
>>  don't really verify (e.g. result of DNS lookup for WPAD or DHCP 
>>option 252).
>
>I'm fairly sure that no browser wants to do that.  The alternative
>must be worse though.
>

v2.23.0 | Report a Bug | By Email