Hacker News new | ask | show | jobs
by pritambaral 1046 days ago
> Work around that.

Easy. I use HTTP/3.

No, really, HTTP and SOCKS proxies cannot carry QUIC traffic, so browsers don't even try. They just send it right through.

If you block UDP, I guess I can still try DNS for exfil. HTTP proxies don't support DNS, and browsers need to be explicitly configured to proxy DNS through SOCKS, if the SOCKS proxy even supports it. Chances are, DNS exfil will work.

Now, if you were to do what I do to disable network access, then I'd have no chance: network namespace in a jail with zero network interfaces (not even loopback).
1 comments
remram 1046 days ago
I'm going to need a bug tracker link for that, it seems to dumb to be true. Surely they would just not use HTTP/3 if they can't do it through the configured proxy. I wouldn't bet my life on it though, I have seen dumber bugs.

edit: tested this the old-fashioned way with Firefox 116.0.3 on Ubuntu and nginx 1.25.1. Firefox does connect over HTTP 3 and CORRECTLY DOESN'T CONNECT AT ALL with a (bad) proxy configured. You are spreading FUD.

My Chrome 115.0.5790.170 doesn't seem to use HTTP 3 at all.

link
pritambaral 1046 days ago
> Surely they would just not use HTTP/3 if they can't do it through the configured proxy.

That's what I thought, at first. But, back when Chrome introduced QUIC, this was a known phenomenon in proxy-restricted but not-UDP restricted setups. I doubt I'd be able to find a bug report for it, given Google's nature, but there's a few reports[1][2][3] by proxy vendors asking for QUIC to be disabled or traffic will go through, even when Chrome is configured to use a proxy.

And here's[4] a user report with the same observation, with Chrome connecting directly to its mothership without going through the configured proxy. The user reports successful blocking upon disabling QUIC

1: https://www.currentware.com/support/disable-quic/

2: https://support.umbrella.com/hc/en-us/articles/360051232032-...

3: https://support.forcepoint.com/customerhub/s/article/0000154...

4: https://superuser.com/questions/1688524/why-google-com-doesn...

> You are spreading FUD.

I assure you, I had no such intention. I was just reporting from memory, of years ago, back when I was in college and had to deal with a proxy-restricted network, and QUIC was being rolled out.

> My Chrome 115.0.5790.170 doesn't seem to use HTTP 3 at all.

Maybe your Chrome has HTTP/3 blocked for some reason. Or, more likely, Chrome supports a different draft of the HTTP/3 spec than the server you're testing against. It has a history of doing that too.

link
remram 1045 days ago
Your links point to people and services using intercepting proxies, not configuring one in their browsers. Techniques intercepting TCP traffic and redirecting it to a proxy will not work when the traffic is UDP. This is not a browser issue.

In this thread we were talking about the user willingly configuring a proxy in the browser or OS.

link
pritambaral 1045 days ago
> Your links point to people and services using intercepting proxies, not configuring one in their browsers.

Sorry, I didn't look too closely through any of those links, because I never used those specific products myself.

But I do clearly remember this being an issue for me back in the day. So I dug further. You'll be happy to see this bug report[1] and this commit[2]. Note these words from a Chromium dev: "This code was written when we discovered a problem with QUIC bypassing proxies."

1: Issue 389684: QUIC bypasses proxy settings | https://bugs.chromium.org/p/chromium/issues/detail?id=389684

2: Issue 217783003: Do not use QUIC for requests that are through a proxy. | https://codereview.chromium.org/217783003

link
remram 1044 days ago
Thanks! This is scary, however you'll agree that a bug on Chrome closed 6 years ago is a far cry from your claim that "HTTP and SOCKS proxies cannot carry QUIC traffic, so browsers don't even try. They just send it right through" present tense. Still thank you for finding this reference, it is a sign that setting a proxy in your system is not as secure as a firewall/netns.
link
pritambaral 1044 days ago
> however you'll agree ... present tense

Yeah, I agree. I should've checked the validity before posting it, instead of just going by memory from years ago.

> ... finding this reference ...

It was a lot more effort than I'd have liked to put into my original comment, but hey, I was ticked off by your accusation of spreading FUD. Also didn't help that search engines today aren't what they used to be.

link