Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

incident with proxy autodiscovery at conference HAR2009

0 views
Skip to first unread message

Georgi Guninski

unread,
Aug 21, 2009, 7:04:46 AM8/21/09
to dev-se...@lists.mozilla.org
just FYI

HAR2009 [1] is a large european hacking conference

according to [2]

>I asked myself what would happen if I could register the name
>wpad.visitors.har2009.net?

>Well, I have done so. And I have setup an appropriate proxy that
>intercepts all traffic that passes this machine. After 24 hours, there
>were more than 800 different hosts using this malicious proxy server
>... That’s quite impressive as this are about 20 percent of the
>visitors!


[1] https://wiki.har2009.org/page/Main_Page
[2] http://benjamin-schweizer.de/sniffing-http-traffic-at-har2009.html

Jean-Marc Desperrier

unread,
Aug 25, 2009, 4:46:08 AM8/25/09
to
Georgi Guninski wrote:
>> >I asked myself what would happen if I could register the name
>> >wpad.visitors.har2009.net?
>> >Well, I have done so. And I have setup an appropriate proxy that
>> >intercepts all traffic that passes this machine. After 24 hours, there
>> >were more than 800 different hosts using this malicious proxy server
>> >... That’s quite impressive as this are about 20 percent of the
>> >visitors!
>[...]
> [2]http://benjamin-schweizer.de/sniffing-http-traffic-at-har2009.html

Acting on this at the browser level would require severely castrating
the wpad protocol, without much security gain.

The conclusion is that it's the DNS server that should be wpad aware and
only allow an authentified administrator to register the wpad name, or
else there's a big security problem.
If we go this route, then maybe we can also add a way for the DNS server
to signal to the browser he implements this security, and wpad is secure.

But at another level, you can also think that it's not necessarily a lot
of an improvement if it's the har2009 admin who logs your traffic
instead of some random guy.

So the final conclusion it's that it's insecure transmission of sensible
information that should be eradicated, solving the root problem.
Maybe publicising this incident is a good way to increase recognition of
the importance of this issue.

Georgi Guninski

unread,
Aug 25, 2009, 7:55:18 AM8/25/09
to Jean-Marc Desperrier, dev-se...@lists.mozilla.org
On Tue, Aug 25, 2009 at 10:46:08AM +0200, Jean-Marc Desperrier wrote:
> Maybe publicising this incident is a good way to increase recognition of
> the importance of this issue.

the link is a public blog so this is public.

0 new messages