Now Reading
How To: Disable WPAD on Your PC So Your HTTPS Traffic Won’t Be Vulnerable to the Latest SSL Attack2 min read
The short URL of the present article is: https://4hax.net/uvOrH

You may not know what HTTP is exactly, but you definitely know that every single website you visit starts with it. Without the Hypertext Transfer Protocol, there’d be no easy way to view all the text, media, and data that you’re able to see online. However, all communication between your browser and a website are unencrypted, which means it can be eavesdropped on.

This is where HTTPS comes in, the “S” standing for “Secure.” It’s an encrypted way to communicate between browser and website so that your data stays safe. While it was used mostly in banking, shopping, and other high-security situations, it’s now common for many websites such as Facebook, Google, and even Wikipedia to protect your information with HTTPS. And it’s most important when you’re browsing the internet on free Wi-Fi hotspots, guest networks, and other non-private access points.

But that “security” isn’t so secure anymore, thanks to some security researchers that will be presenting at this years Black Hat security conference in Las Vegas.

You’re in a potentially malicious network (free WiFi, guest network, or maybe your own corporate LAN). You’re a security conscious netizen so you restrict yourself to HTTPS (browsing to HSTS sites and/or using a “Force TLS/SSL” browser extension). All your traffic is protected from the first byte. Or is it?

[B]y forcing your browser/system to use a malicious PAC (Proxy AutoConfiguration) resource, it is possible to leak HTTPS URLs. . . . We will present the concept of “PAC Malware” (a malware which is implemented only as Javascript logic in a PAC resource) that features: a 2-way communication channel between the PAC malware and an external server, contextual phishing via messages, denial-of-service options, and sensitive data extraction from URI’s.

Talking with ArsTechnica, Itzik Kotler of SafeBreach, clarified:

We show that HTTPS cannot provide security when WPAD is enabled. Therefore, a lot of people are actually exposed to this attack when they engage in browsing via non-trusted networks.

What does all this mean exactly, in laymen’s terms? What you actually do on those HTTPS sites is still safe from prying eyes, but the full URL that you visit is not. It sounds innocent enough, but if that URL contains a security token, it could allow hackers to gain full control of your account. WPAD is fairly simple for hackers to take advantage of with MitM tools easily available for Metasploit, and has been exploited before in other ways.

This attack can be carried out on Linux, Mac, or Windows systems, but primarily the latter since it is the only one that is enabled by default with Internet Explorer. WPAD is not automatically enabled in Mac OS X or Linux, nor on Safari, Chrome, or Firefox browsers, so you shouldn’t have to do anything on your end to protect yourself unless you use Microsoft Windows.

The short URL of the present article is: https://4hax.net/uvOrH
What's your reaction?
About The Author

Leave a Response