A Cautionary Note on Automatic Proxy Configuration

A. Pashalidis (UK)


web proxy, web security, proxy-based attack, authentication, web spoofing


Web proxies can be used for a variety of services. Web browsers typically offer the option not only to statically configure a web proxy, but also to download proxy settings dynamically from the Internet. Unfortunately, the supporting infrastructure does not enable the browsers to properly authenticate the origin of these proxy settings. This inadequacy provides an opportunity for an attacker to interpose his own proxy between a client device and the web. The scope of potential harm includes wholesale or selective interception of web traffic, and web spoofing. In a practical setting the attack works even in the presence of SSL/TLS channels that are supposed to protect against interception and modification. Depending on the presence and configuration of a firewall, attacks can be launched by outsiders as well as by insiders. This paper examines various attack scenarios and proposes countermeasures to these attacks.

Important Links:

Go Back