قالب وردپرس درنا توس
Home / Mac / PAC attacks using HTTPS! VPN for rescue

PAC attacks using HTTPS! VPN for rescue

<meta content = "PAC attack using HTTPS!
VPN for rescue" property = "and: title" /> Macintosh Security: PAC attacks using HTTPS! VPN to rescue

PAC attacks using HTTPS!
VPN for rescue

Introduction: What I discuss below fits within the kingdom of the computer network. As such, it is complicated, has a learning curve and may require homework, time and patience to understand. But as usual, I've tried to translate the technology into something reasonably easy to understand, and I've provided some useful reference links.

Open Wi-Fi hotspots are not our friend

Using open, no password required, Wi-Fi routers with hotspot are dangerous. It's trivial for anyone who's on the router to spy on your entire internet activity. There are several tools for hack jobs on all data platforms. So what are you doing?

Using HTTPS online is a generally reliable way to encrypt your connections, resulting in hacker spies who only see gibberish passes between the computer and the destination. It's great, except that many servers still use old SSL (Secure Sockets Layer) protocols that are no longer secure and there are older browser programs that still allow SSL to be used. The replacement technology is TLS (Transport Layer Security) and is significantly safer, but not perfect from yet. For general web access on a Wi-Fi hotspot, HTTPS via TLS should be sufficient.

Except This Occured:

New Attack Exceeds HTTPS Protection on Mac, Windows, and Linux
Hack may be carried out by Wi-Fi hotspots operators where HTTP is most needed.
– DAN GOODIN, Ars Technica – 7/26/2016, 1:14 PM

The most likely way the attack can be performed is A network operator sends a malicious response when a computer uses the dynamic host configuration protocol to connect to a network. In addition to issuing addresses, DHCP can be used to set up a proxy server that browsers will use when trying to access specific URLs. This attack technique works by forcing the browser to obtain a proxy autoconfig (PAC) file which specifies which types of URLs will trigger the use of the proxy. Because the malicious PAC code receives the request before the HTTPS connection is created, the attackers get the full URL in plain text ….

(emphasis on mine).

This is a pretty sophisticated attack at the moment.

So now what do we do?

If you are a casual browser user who does not mind having the URL connections monitored in public, you will wait for browser and server updates to resolve this issue.


If you are a professional who must NOT be monitored in your work online, sign up for a VPN (Virtual Private Network) service. I do not want to go into the technical details. But a good VPN service allows you to encrypt all the small things you do online, no matter where you are, to any server running the VPS server somewhere else on the planet. You can usually select Output Server from a list provided by the VPN service. Once you've gone out of the VPN server to the actual Internet, no one can track who you are. None of your data is visible on your Wi-Fi router. Everything is encrypted via the VPN service. Problem solved.

There are many VPN services available. Some of them offer "Life Time Membership" at a reasonable price. It is usually a VPN service or another who is running a special offer through one of the & # 39; Deal & # 39; Websites / Email Lists at any time.

As examples, I'm on MacAppware and 9To5Toys & # 39; Deal & # 39; Lists, which are part of a & # 39; Deal & # 39; Network; & # 39; Deal & # 39; services going through StackCommerce . They offer a variety of hardware, software and service "Specials" at special discount rates, usually for a limited period. If you see something you like on lists, check it out. If you like it, you buy it. (Note how I deliberately do not provide URLs as I do not sell or recommend any of these services. Search for their names and find them).

Continues These Examples: 9To5Toys currently offers both a 3 year subscription and full lifetime subscription to Tiger VPN for decent prices. MacAppware currently has five different VPN services. They include HideMyAss !, Hotspot Shield Elite, PureVPN and VPN Unlimited.

The closest I come to a recommendation is to say I have a friend who swears at HideMyAss! He regularly uses it to stream sports video from Europe with good results. I have a lifetime membership with proXPN that works fine for my purposes.

A limitation factor with VPN is speed, aka bandwidth. Obviously, you run into this factor when streaming a lot of data at the same time, such as watching video. If that's what you want to do via VPN, it pays to shop around for the fastest service. Be sure to verify that what you read about a VPN service is genuine. For example, PureVPN itself is called "The World's Fastest VPN." Maybe it is or maybe it is not. Check out a number of reviews to find out what users have experienced according to their use of VPN.

Another limitation factor is which VPN connection protocols the services offer. They may use OpenVPN and / or PPTP (Point-to-Point Tunneling Protocol) . It is important to know what the hardware and operating system can handle. For example, some can not handle OpenVPN. Therefore, in this case, you do not want a VPN service that only offers OpenVPN. You want one that offers PPTP. Many give both.

From a security point of view, it is currently safer to use PPTP. OpenVPN has had a number of security injuries and was at one time thought to be hackable. OpenVPN has been good at patching known security errors, but they have recently been detected on a regular basis. Meanwhile, PPTP is considered by someone to be "broken". Microsoft recommends using a newer and superior alternate protocol called L2TP / IPSec which I am a little unknown to. If a VPN offers it, consider using it instead of PPTP.

I can link here to a comparison chart of these three protocols, but what I found online was not updated and would therefore be misleading. From a fanatic security point of view, all three of these protocols may be hackable IF someone will specifically target you. VPN attacks are sophisticated and take time to assume. As such, for general professional use, some of these three VPN protocols are sufficient. Open source lawyers obviously prefer OpenVPN because the protocol is fully available for review and theoretically, it means that security holes are found and patched more easily. Meanwhile, Microsoft has been involved with both PPTP and L2TP / IPSec, which can give users a reason to cry. You decide.

Nice things about good VPN services:

First the VPN takes price / quality on its own servers day by day. I'm in New York. So you think connecting to your New York City server would be great! It used to be. Now it's ranked on the bottom of their connection listing. IOW that is the last server I want to use. Instead, I usually use the Chicago server, which is in the top third of the list of connections. I often visit websites in the UK, in which case I use their London server. Fortunately, it is also in the top third of the list of connections at this time.

Meanwhile, if I want to use an outgoing server in or near Japan, forget it! There is not anyone. It could have killed my interest in the VPN service, if it were for me. The nearest server is in Singapore, and it is near the bottom of the connection list. IOW: It may be important to know which servers a VPN offers, according to your purpose.

Other VPN regularly changes servers in cases where they are blocked by ISPs. My VPN program addresses the latest list of available servers every day, which prevents me from connecting to what is equivalent to a dead server.

Why are VPN servers blocked? This enters into a copyright, marketing, and expenses controversy. To give you at least a rough idea of ​​how and why this can happen: Imagine you are the BBC in the UK. Someone uses VPN to connect to a London server. The IP address of that server is sent to each website that you connect. It's obviously a British IP address, so you seem to be British. Therefore, you can access all UK web content as a British citizen. You have full access to all BBC web media, including some of their published TV shows. What can be "bad" if it is: (A) You can not really be in the UK. You are using a VPN. (B) If you are not British, you do not have access to UK copyrighted media. (C) BBC marketing people may go maniacal that you break through an artificial marketing barrier for accessing media directly in the UK. (D) You have not paid the taxes that support the BBC. Therefore, the BBC is motivated to find and block all VPN servers in the UK.

Then it's the annoying totalitarianism the problem where defaulted authorities abuse their citizens, rather than serve them. Check this out:

Country where VPN usage is forbidden

VPN is generally prohibited in countries that have authoritative laws, such as China ] North Korea and Iran . With limited access to a majority of electronic content, to unblock websites, citizens, tourists and expats in these countries usually use proxy servers and VPN software.

WHY have these countries done VPN USAGE ILLEGAL?
Some countries have banned use of virtual private networks so that they can maintain a bird's eye view of all online movement from their citizens, as governments in these countries consider nonconformists, as well as controlling the information their citizens have access to by censoring websites with liberal or contradictory views. VPNs allow to bypass censorship and keep all online activities confidential.

Such is our kind. I strongly recommend depositing all such governments. That's what the revolution is for. We deserve all personal freedom and privacy, no exceptions (apart from the villains and crazies).

So what about DNSCrypt?

I use DNSCrypt on all my Macs. I have not had problems with it and it encrypts all my DNS statements for free. It works pour better than my IPS DNS servers! (Time Warner Cable :-P). Thanks, OpenDNS and Cisco! It prevents any open Wi-Fi hotspot hackers from seeing which sites I want to visit. It even prevents your ISP or anyone else from monitoring your DNS statements.

Except DNSCrypt will not help with PAC attacks on HTTPS. Pardon! The resulting IP address is still unclear when using PAC hack. Nevertheless, DNSCrypt is a great precaution and works very well. Finishing DNSCrypt took year of annoying beta. Now it is something that approaches perfection. Highly recommended.

Question? Additional Reference Requests? Please send me a comment below.

: – Derek

Source link