Thank you for saving what hair I haven’t pulled out yet.

I did it the other day to my wife’s computer with Cain and Able, noticing that she was looking at more shoes to buy… Didn’t need to hijack her WPAD queries or DNS lookups to accomplish this task.

What WPAD does provide is the ability to have users dynamically find a proxy server. And the users don’t have to know anything about manually configuring (and enabling/disabling) a hard coded proxy server.

Security, as you obviously know, is a balance between functionality and safety. The only truly secure client is one that is turned off…

So this is really just another example of where it is up to the individual/management to determine if the risk of web hijacking outweighs the cost of manually managing the proxy configuration.

From my experience the WPAD feature is not used because of a general lack of knowledge and understanding on the technology. After all, it’s easy to slam in a proxy server with GPO’s…

On the other hand, if you mean attacks not against IE but against SSL itself, such as Moxie’s SSLSniff, they’re hard to detect. One thing that helps is actually opening and verifying the certificate — just because the padlock icon is there doesn’t mean you’re communicating with what you think you’re communicating with. Most of the time attackers don’t forge an entire certificate, just the domain name, so everything else may look wrong (or the certificate may be for * rather than a specific domain.) Once again, use a current, fully-patched browser, as this protects you from null-byte certificates (which actually may look perfect if you inspect them.) And most importantly of all, don’t use insecure wireless networks. Attacks like SSLSniff rely on being a man-in-the-middle — that is, an attacker must be able not just to read your communication but also to modify it. This means either he has to control a router between you and the website you’re talking to, or he has to be on a wireless network with you. The only safe thing to do on an insecure (open or WEP) wireless network is to VPN to a secure network. Anything else is vulnerable.

As of now, I’m not sure what side effects I’ll encounter. Disabling this service may also impact COM Automation and the Win32 API components for sending and receiving HTTP requests from applications. Actually, I might like this since I really don’t like apps accessing the web without my control. My browser still works … that’s good! Well see.

By the way, with Wireshark I now see a lot of different activity on initialization of my internet connection. I need to look into this….

I have investigated a large number of articles and comments to try to find a solution, and unfortunately, none that I’ve found fully stop the problem. The best solution I found was to set my computer’s name to WPAD, and thus limit the number of DNS queries that are attempting to locate the WPAD server. Now, it’ll only query the following:

WPAD.XXXX.YYYYY.COM

and then

XXXX.YYYYY.COM

(where XXXX.YYYYY is my ISP’s domain name).

Before this change, I have a lot of queries for various forms of WPAD addresses, which didn’t exist. I tried to disable devolution as mentioned in …

http://www.microsoft.com/technet/security/advisory/945713.mspx

… but it DID NOT WORK. According to the advisory, I should be able to disable devolution by setting the following registry entry to 0 (FALSE):

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution

It didn’t work. Using ProcessMonitor, I also tracked down two different registry entries for devolution that my system was accessing prior to devolution, and neither stopped devolution. It must be hardcoded.

The problem isn’t so much with corporate networks. The problem is more that these laptops from corporate networks are all set up to rely on WPAD for proxy information, and then people carry them off to other networks, like open wireless, with those same configuration settings intact. Suddenly, they’re asking for WPAD on networks that are potentially hostile.

- JS