[c0nsumer]

How do you MITM HTTPS without control over the cert store on the client, or access to private keys that let you generate certs that are trusted? You don't, and the threat of this is nation-state-level stuff.

The article you link to posits a malicious PAC file which leaks the contents of request URIs. This is NOT the same as MITMing all HTTPS.

This is also an illustration why, on devices such as this, it's good to layer security with things such as always-on VPN.

EDIT: The root of that article is decent, but it has so many problems... And it starts tacking on the caveats about how it's wrong near the bottom. Like:

"The two researchers showed that some widely used VPN clients, like OpenVPN, do not clear the Internet proxy settings set via WPAD. This means that if attackers have already managed to poison a computer’s proxy settings through a malicious PAC before that computer connects to a VPN, its traffic will still be routed through the malicious proxy after going through the VPN."

This only works if the VPN client doesn't rewrite the routing table to send everything through the tunnel. And if they keep the OS' network state detection from noticing a state change, which in turn triggers a proxy setting refresh. (WinHttpWebProxyAutoSvc specifically does this.)

[fulafel]

I suppose you're right that the HTTPS content MITM vulnerabilities wrt PAC have been fixed. But still the URI leaks are bad enough since they leak a lot of info about you.

Re VPNs .. quoting from the pcworld article:

> The two researchers showed that some widely used VPN clients, like OpenVPN, do not clear the Internet proxy settings set via WPAD. This means that if attackers have already managed to poison a computer’s proxy settings through a malicious PAC before that computer connects to a VPN, its traffic will still be routed through the malicious proxy after going through the VPN.

I maintain that that WPAD is terrible from a security POV, an OS has no business executing untrusted configuration javascript in my web browser. You can just exploit browser bugs there without user navigating anyhere untrusted, like shown here: https://googleprojectzero.blogspot.com/2017/12/apacolypse-no...

[c0nsumer]

At least on Windows 10 for the last few years, the JS is not executed in your browser. There is specifically an isolated, limited environment called pacjsworker.exe that executes PAC files and does not support nearly the same amount of JS needed by a brower. Check this out for a list of the functions in a PAC file: http://findproxyforurl.com/pac-functions/

WinHTTP then uses this to determine if the traffic should be routed through a proxy or not.

It is not, or at least is not now, jscript.dll as the article mentions.