330 likes | 427 Vues
This presentation discusses the importance, functionality, potential risks, and countermeasures related to automatic proxy configuration in organizations. It also includes live demos and conclusions for better understanding.
E N D
A Cautionary Note on Automatic Proxy Configuration 11th December 2003 CNIS 2003 Andreas Pashalidis
“There are probably thousands of organizations using automatic proxy configuration.” • Dr. Ian Cooper (editor of IETF “Web Proxy Auto-Discovery Protocol” Draft) e-mail excerpt, August 18th, 2003.
Agenda • Why do we need it ? • How does it work ? • What can go wrong ? • What else can go wrong ? • Live demo ! • Countermeasures. • Conclusions.
Agenda • Why do we need it ? • How does it work ? • What can go wrong ? • What else can go wrong ? • Live demo ! • Countermeasures. • Conclusions.
Why do we need it ? We want selection to occur automatically & in real time!
Why do we need it ? To eliminate manual configuration.
Agenda • Why do we need it ? • How does it work ? • What can go wrong ? • What else can go wrong ? • Live demo ! • Countermeasures. • Conclusions.
How does it work ? Just by ticking this checkbox!
Agenda • Why do we need it ? • How does it work ? • What can go wrong ? • What else can go wrong ? • Live demo ! • Countermeasures. • Conclusions.
What can go wrong ? Interception Web spoofing
What can go wrong ? Interception Web spoofing
What can go wrong ? Interception Web spoofing
Agenda • Why do we need it ? • How does it work ? • What can go wrong ? • What else can go wrong ? • Live demo ! • Countermeasures. • Conclusions.
What else can go wrong ? • The attack can be massive or selective. • The attack can be hidden. (e.g. “use attack proxy only during weekends/for specific sites”) • Web browsers cannot display the configuration.
What else can go wrong ? SSL/TLS Interception
Agenda • Why do we need it ? • How does it work ? • What can go wrong ? • What else can go wrong ? • Live demo ! • Countermeasures. • Conclusions.
Agenda • Why do we need it ? • How does it work ? • What can go wrong ? • What else can go wrong ? • Live demo ! • Countermeasures. • Conclusions.
Countermeasures • Authentication of proxy servers (realistic?) • Firewalls (protection against outsiders). • Use SSL/TLS to authenticate proxy, BUT • New certificate type for this purpose. • Change web browsers’ code path. • Authentication failure = fatal error.
Agenda • Why do we need it ? • How does it work ? • What can go wrong ? • What else can go wrong ? • Live demo ! • Countermeasures. • Conclusions.
Conclusion Think about these things before deploying an automatic proxy configuration solution.