[sf-lug] https hack

Rick Moen rick at linuxmafia.com
Thu Aug 11 18:10:20 PDT 2016


Quoting maestro (maestro415 at gmail.com):

> New attack bypasses HTTPS protection on Macs, Windows, and Linux<
> http://arstechnica.com/security/2016/07/new-attack-that-cripples-https-crypto-works-on-macs-windows-and-linux/

No.

Headline notwithstanding, it's not new.  It's been pretty well
understood since at least 2013.

The only thing that's new is that Blackhat USA 2016 just occurred, and,
as is traditional, somebody (Itzik[1] Kotler & Amit Klein) demo'ed stuff.
The key to all this is that Netscape Corporation back in Netscape
Navigator 2.0 days (1996) had a very, very bad idea:  proxy 
auto-configuration (PAC) and a Web Proxy Auto-Discovery Protocol (WPAD)
for Web browsers.  
http://users.telenet.be/mydotcom/library/network/pac.htm
https://en.wikipedia.org/wiki/Proxy_auto-config
https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol
https://web.archive.org/web/20110807125044/http://www.wlug.org.nz/WPAD

PAC/WPAD has _always_ been ripe for abuse, and, starting 2013, people got
around to doing so in a serious way.  And, in 20156, Kotler & Klein tied
up how to do so in a neat bow.

So:  Proxy auto-configuration is bad.


There's a long history of building dangerous, overfeatured functionality
by default into the Web.  See also:  Javascript.


Jonathan de Boyne Pollard wrote more than a decade ago about these
things (PAC and WPAD).
http://jdebp.eu./FGA/web-browser-auto-proxy-configuration.html 
Quoting:

  o  Only configure web browsers to use PAC scripts published by entities
     that you trust.

  o  Don't enable "DHCP-based" Web Proxy Auto-Discovery (WPAD) unless you 
     trust all of the DHCP servers on the network you are attaching to.

  o  Don't enable "DNS-based" Web Proxy Auto-Discovery (WPAD) unless you 
     trust all of the content HTTP servers that could possibly be contacted.

I simply disable blanket-proxies.  Done.
https://auth0.com/blog/heads-up-https-is-not-enough-when-using-wpad/

Go forth and do ye likewise.


Today's puzzler:  _Without_ Web-searching the phrase, can any
non-Norwegians in present company guess what my .signature says?


[1] Great name, Itzik (אִיצִיק).  Means 'laughter'.  Not that Amit (עָמִית)
isn't nice too, mate.  (It means friend or, er, 'mate'.)

-- 
Cheers,                                      Luftputebåten min er full av ål.
Rick Moen
rick at linuxmafia.com
McQ!  (4x80)




More information about the sf-lug mailing list