[sf-lug] https hack

Ehud Kaldor ehud.kaldor at gmail.com
Thu Aug 11 22:49:14 PDT 2016 

not to belittle your Hebrew, Rick, but Itzik is not exactly laughter.
however, Itzik is a nickname for Issac. Issac, in turn, is pronounced
"Itz-hak", which literally is the male form of 'will laugh'. Amit is
literally 'colleague'.

and if you're into that, you should know that Rick is the Hebrew word for
void or vacuum.

On Thu, Aug 11, 2016 at 6:13 PM Rick Moen <rick at linuxmafia.com> wrote:

> Quoting maestro (maestro415 at gmail.com):
>
> > New attack bypasses HTTPS protection on Macs, Windows, and Linux<
> >
> http://arstechnica.com/security/2016/07/new-attack-that-cripples-https-crypto-works-on-macs-windows-and-linux/
>
> No.
>
> Headline notwithstanding, it's not new.  It's been pretty well
> understood since at least 2013.
>
> The only thing that's new is that Blackhat USA 2016 just occurred, and,
> as is traditional, somebody (Itzik[1] Kotler & Amit Klein) demo'ed stuff.
> The key to all this is that Netscape Corporation back in Netscape
> Navigator 2.0 days (1996) had a very, very bad idea:  proxy
> auto-configuration (PAC) and a Web Proxy Auto-Discovery Protocol (WPAD)
> for Web browsers.
> http://users.telenet.be/mydotcom/library/network/pac.htm
> https://en.wikipedia.org/wiki/Proxy_auto-config
> https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol
> https://web.archive.org/web/20110807125044/http://www.wlug.org.nz/WPAD
>
> PAC/WPAD has _always_ been ripe for abuse, and, starting 2013, people got
> around to doing so in a serious way.  And, in 20156, Kotler & Klein tied
> up how to do so in a neat bow.
>
> So:  Proxy auto-configuration is bad.
>
>
> There's a long history of building dangerous, overfeatured functionality
> by default into the Web.  See also:  Javascript.
>
>
> Jonathan de Boyne Pollard wrote more than a decade ago about these
> things (PAC and WPAD).
> http://jdebp.eu./FGA/web-browser-auto-proxy-configuration.html
> Quoting:
>
>   o  Only configure web browsers to use PAC scripts published by entities
>      that you trust.
>
>   o  Don't enable "DHCP-based" Web Proxy Auto-Discovery (WPAD) unless you
>      trust all of the DHCP servers on the network you are attaching to.
>
>   o  Don't enable "DNS-based" Web Proxy Auto-Discovery (WPAD) unless you
>      trust all of the content HTTP servers that could possibly be
> contacted.
>
> I simply disable blanket-proxies.  Done.
> https://auth0.com/blog/heads-up-https-is-not-enough-when-using-wpad/
>
> Go forth and do ye likewise.
>
>
> Today's puzzler:  _Without_ Web-searching the phrase, can any
> non-Norwegians in present company guess what my .signature says?
>
>
> [1] Great name, Itzik (אִיצִיק).  Means 'laughter'.  Not that Amit (עָמִית)
> isn't nice too, mate.  (It means friend or, er, 'mate'.)
>
> --
> Cheers,                                      Luftputebåten min er full av
> ål.
> Rick Moen
> rick at linuxmafia.com
> McQ!  (4x80)
>
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
> Information about SF-LUG is at http://www.sf-lug.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/sf-lug/attachments/20160812/d9677904/attachment.html>

More information about the sf-lug mailing list