Re: [squid-users] Wiki help for WPAD/PAC stuff (was Re: [squid-users] proxy.pac config)

From: K K <kkadow@dont-contact.us>
Date: Wed, 16 May 2007 01:17:17 -0500

I'll take a look at the updated Wiki later today.

On 5/15/07, SSCR Internet Admin <admin@sscrmnl.edu.ph> wrote:
> >>However, if the browser is not configured to use a PAC
> >>file but a PAC file is delivered it brings up a
> >>Security Alert because the browser never requested it.
> >>I know the old Netscape browsers did this but am not
> >>sure about IE.
>
> Well, im sure local users will accept it happily by clicking OK, if not they
> don't have access.. :)

The Netscape alert doesn't give the option to accept the PAC, it just
gives a warning that an unsolicited PAC was received. If there was a
trivial way to reconfigure browsers to use a PAC just by returning the
right Active-X or Java, then we'd see all sorts of malicious sites
using that technique to force random Internet users to use the
attacker's proxy.

So how do you force your users to use the PAC?

What you can do is make sure your DHCP server and DNS are set up to be
fully compatible with WPAD, and then if any clients do make an attempt
to go DIRECT, return a web page containing:

1) Text instructing how to correctly enable WPAD and/or how to
configure PAC in the most popular browsers.
2) A link to a .REG file which forces the registry settings for IE to
use PAC on Microsoft Windows clients.
3) Instructions for manual configuration, for UNIX and for ancient
MacOS clients.

Even with all of this, expect to get plenty of support calls from
confused users.

I manage an environment with tens of thousands of internal customers,
and all default route HTTP/HTTPS/SMTP/etc traffic is denied, the only
exception being for a couple of really braindead clients that are
downright proxy-hostile, maybe a half dozen workstations total have an
exception to the policy.

Kevin

(P.S. Think carefully before conditioning users to accept REG files
from strangers).
Received on Wed May 16 2007 - 00:17:21 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:05 MDT