[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#509063: ITP: libproxy -- automatic proxy configuration management library

* Emilio Pozuelo Monfort:

> Florian Weimer wrote:
>> Not enabling WPAD with DNS devolution goes a long way towards dealing
>> with this mess.
> Would you be fine if libproxy disabled WPAD by default? I think libproxy's
> developers are willing to do that, according to [1].

Well, it's not my package, so you don't have to listen to me.  I'm
also not speaking for the security team.  But I appreciate your
efforts to address my concerns.

>From a PR point of view[1], I strongly suggest to disable it by
default, and implement only the partial form which is present in
Iceweasel (just look up "wpad.", and no DNS devolution).  If you
absolutely must implement full WPAD, do not hard-code the list of
TLDs/public suffixes, but use a separate Debian package which can be
part of volatile.  (Such a package might be useful on its own, even
although the public suffix list concept is subject to fierce debates.)

There might be another security issue in WPAD (I need to look into
this), but it doesn't affect the "wpad." variant.  This variant
suffers from the drawback that DNSSEC will eventually break it,

[1] Otherwise, every couple of months, someone will notice that our
TLD list is incomplete, and make a big fuzz about it.

Reply to: