1 / 33

A Cautionary Note on Automatic Proxy Configuration

A Cautionary Note on Automatic Proxy Configuration. 11 th December 2003 CNIS 2003 Andreas Pashalidis. “There are probably thousands of organizations using automatic proxy configuration.” Dr. Ian Cooper (editor of IETF “Web Proxy Auto-Discovery Protocol” Draft)

risa
Télécharger la présentation

A Cautionary Note on Automatic Proxy Configuration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Cautionary Note on Automatic Proxy Configuration 11th December 2003 CNIS 2003 Andreas Pashalidis

  2. “There are probably thousands of organizations using automatic proxy configuration.” • Dr. Ian Cooper (editor of IETF “Web Proxy Auto-Discovery Protocol” Draft) e-mail excerpt, August 18th, 2003.

  3. Agenda • Why do we need it ? • How does it work ? • What can go wrong ? • What else can go wrong ? • Live demo ! • Countermeasures. • Conclusions.

  4. Agenda • Why do we need it ? • How does it work ? • What can go wrong ? • What else can go wrong ? • Live demo ! • Countermeasures. • Conclusions.

  5. Why do we need it ?

  6. Why do we need it ? We want selection to occur automatically & in real time!

  7. Why do we need it ? To eliminate manual configuration.

  8. Agenda • Why do we need it ? • How does it work ? • What can go wrong ? • What else can go wrong ? • Live demo ! • Countermeasures. • Conclusions.

  9. How does it work ? Just by ticking this checkbox!

  10. How does it work ?

  11. How does it work ?

  12. How does it work ?

  13. How does it work ?

  14. How does it work ?

  15. How does it work ?

  16. How does it work ?

  17. How does it work ?

  18. Agenda • Why do we need it ? • How does it work ? • What can go wrong ? • What else can go wrong ? • Live demo ! • Countermeasures. • Conclusions.

  19. What can go wrong ?

  20. What can go wrong ? Interception Web spoofing

  21. What can go wrong ? Interception Web spoofing

  22. What can go wrong ? Interception Web spoofing

  23. What can go wrong ?

  24. What can go wrong ?

  25. Agenda • Why do we need it ? • How does it work ? • What can go wrong ? • What else can go wrong ? • Live demo ! • Countermeasures. • Conclusions.

  26. What else can go wrong ? • The attack can be massive or selective. • The attack can be hidden. (e.g. “use attack proxy only during weekends/for specific sites”) • Web browsers cannot display the configuration.

  27. What else can go wrong ? SSL/TLS Interception

  28. Agenda • Why do we need it ? • How does it work ? • What can go wrong ? • What else can go wrong ? • Live demo ! • Countermeasures. • Conclusions.

  29. Agenda • Why do we need it ? • How does it work ? • What can go wrong ? • What else can go wrong ? • Live demo ! • Countermeasures. • Conclusions.

  30. Countermeasures • Authentication of proxy servers (realistic?) • Firewalls (protection against outsiders). • Use SSL/TLS to authenticate proxy, BUT • New certificate type for this purpose. • Change web browsers’ code path. • Authentication failure = fatal error.

  31. Agenda • Why do we need it ? • How does it work ? • What can go wrong ? • What else can go wrong ? • Live demo ! • Countermeasures. • Conclusions.

  32. Conclusion Think about these things before deploying an automatic proxy configuration solution.

  33. Thanks!Questions?

More Related