[chunkyks]

We have a security proxy at work that gives you the bits, but then holds the connection open while it does a scan, then resets the connection if it doesn't like something inside. Both Chrome and Firefox [haven't tried IE/Edge, but I assume that they'll do something that the proxy vendor would want] infer [or are told?] that the connection broke and delete the interim file. Unfortunately, with zip files, the header is at the end; so it can't do scanning until the whole file is down.

For me, the easiest way to mitigate it turned out to be to use wget [with an appropriate user-agent... say, the same as my desktop browser]. wget Gets the bits, but doesn't in any way molest the "partial" download when the connection resets. Then it tries to download the rest using the "Range" HTTP header, and the server says "oh, dude, you already got the whole thing"; wget declares success, and all the bits are in my download folder.

I believe that we pay, like, a lot for this proxy, which is annoying on two counts: 1) If I can get past it trivially, then presumably competent attackers can, too, and 2) Sometimes it takes a dislike to legitimate stuff, which is how I was forced to learn how to get around it.

[jcims]

Those controls on a proxy are to protect against the careless and the clueless. No competent security team will rely on them to prevent ingress/egress of data or malicious code by skilled individuals.

[bentcorner]

Correct - this is an attack on the other side of the airtight hatchway (i.e., you must persuade the user to run wget in a certain fashion and run the resulting exe, and if you don't need to persuade the user you could have done something simpler).

https://devblogs.microsoft.com/oldnewthing/20170130-00/?p=95...

[hoseja]

I am continuously appalled at the gall of calling that hatchway "airtight".

[fuzzy2]

That's not how these proxies usually work. They only give you enough bytes so the browser doesn't feel stuck while downloading everything and scanning it. The download then suddenly continues at 100 or even 1000 Mbit/s.

[chunkyks]

Indeed that's what I've experienced in the past. But I'm telling you this, for sure, based on my experience downloading a 200M tensorflow wheel the other day.