Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

From the briefing:

  We will demonstrate that, by forcing your browser/system to use
  a malicious PAC (Proxy AutoConfiguration) resource, it is
  possible to leak HTTPS URLs.
Would be interesting to see the exploit in action. However, malicious PAC redirection has existed for a while [0].

What isn't quite clear is whether this would work even with HSTS sites.

The takeaway seems to be that never trust any unknown network.

[0] https://blogs.technet.microsoft.com/mmpc/2014/02/28/maliciou...



This PAC exploit was already published in 2015 in Russian: https://translate.google.com/translate?sl=ru&tl=en&u=https%3...


> never trust any unknown network

By that I'm guessing you mean local networks ala coffeeshop/public wifi. What about networks that NSA/[insert three letter agency here] controls? Can PAC be affected by those?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: