You are definitely right. WPAD can be used for MiM attacks. But ARP spoofing or DNS poisonning already allow to do such bad things. WPAD can be secured with https with certificat validation.
Anyway, for Jolla, what we need, by order of priority, is :
- 1. manual proxy settings
- 2. autoconfiguration with URL (PAC ability)
- 3. autodiscovery of PAC with WPAD
Putting the default value to "no proxy" should be sufficient to secure people who don't trust WPAD.
↧
