<SNIP>
>
> The browser is 100% unaware of the proxies existence and the page being
> fetched from a different server than its TCP connection was sent to.
> All the IP level security the browser uses to check same-origin is
> bypassed silently. All the DNSSEC, IP-based firewall rules, etc which
> the LAN administrator may have setup for that client to make use of are
> also bypassed silently unless replicated in proxy config.
> I'm not sure which of the two is more serious, but leaning slightly
> towards the firewall bypasses being worse nowdays since browsers have
> improved their checking a bit too along the same lines as the squid checks.
>
> It is possible for a website JS (ie advert) to fetch a malicious page
> using a benign TCP connection to a safe IP address and a Host: with
> malicious server name. The result corrupts the browser cache with a
> phishing-style page and gives open access to any private details
> (credentials, cookies, local browser state) to the malicious website
> server.
>
> The only real solution is to avoid using an interception or transparent
> proxy completely (or use it only to bounce clients to a "how to
> configure your browser" page as per the ZeroConf wiki example). But the
> 3.2 changes raise the difficulty for attackers and go a long way towards
> avoiding collateral damage to the rest of the LAN clients from such
> attacks.
>
> Amos
>
Thanks Amos,
I wasn't sure that I got it right but it seems like my logic was right
after all.
But if anyone do use firewall + intercept proxy he will most likely will
manage the proxy acls to match the local security policy else then the
firewall.
Regards,
Eliezer
-- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer <at> ngtech.co.ilReceived on Sat Aug 18 2012 - 17:58:21 MDT
This archive was generated by hypermail 2.2.0 : Sun Aug 19 2012 - 12:00:03 MDT