On Mon, 2016-05-09 at 14:35 +0200, Bjørn Mork wrote: > David Woodhouse <[email protected]> writes: > > There are users in corporate networks who *have* to use the proxies, > > because direct connections to the outside world don't work. > > Yes, and those networks will use DHCP to configure proxies. Anything > else would be crazy.
Yeah, because corporate IT is *never* crazy. :) I am fairly sure that our lot *don't* advertise the proxy with option 252. I also suspect I'd get nowhere in *asking* them to, since it isn't required for Windows. I suppose I could try; they are actually quite good these days. But even if I fix it for my own users, that doesn't solve the general case. I already *had* a hackish solution in a NM dispatcher script to automatically detect being on *our* corporate network and prod the right configuration into PacRunner. And we *need* the general case to be solved. Because until PacRunner/libproxy actually gives sane results in a reliable fashion, I don't get to change distro packaging guidelines to read "Thou shalt use libproxy by default". And without things actually *using* it, none of this stuff actually makes any difference at all :) > > Sure, a rogue network could still advertise intel.com in the search > > domains in its DHCP response, and provide its own PAC content. But then > > again, it could have just given you a DHCP option 252. Once the > > attacker has *that* much control, I think you lost the game already. > > Yes, a rogue network is one thing. No way to protect yourself there > of course. > > The problem with using DNS for proxy config is that you aren't even > safe on a trusted network, unless you are very careful about which > domain names you use. Most users won't know that their choice of > host name might have security implications. Because it shouldn't. True. But we're not talking about *always* using the corporate wpad when we're outside the corporate network — only when the local DHCP server actually give $COMPANY.com in the list of DNS search domains. And yes, a rogue network *could* do that... but as noted, we lose that game anyway. -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ networkmanager-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/networkmanager-list
