Bypass FPN Feature Enahancement

[hjasond]

All,

While FPN is great for general web usage, most users need access resources that cannot be reached via FPN.

Can you please implement the option to the secure-proxy/FPN extension to automatically disable FPN for specific sites? Ideally this feature would also support, wildcards, regex, and CIDR notation.

Thank you, Jason

[ekr]

While FPN is great for general web usage, most users need access resources that cannot be reached via FPN.

While I believe that many users need those resources, I am skeptical that "most" do.The usual scenarios are for intranet and home router type settings, but I doubt this is most users.

I do see how this feature is useful, but it's not clear to me that it can be implemented safely. Consider the (somewhat contrived) case where your intranet is the attacker in cooperation with example.com. Your intranet tells you to disable 192.168.1/24 and then the site arranges for test.example.com to resolve to 192.168.1.1 and embeds a test.example.com subresource on its page. This then allows the intranet to determine what computers on its network are going to example.com. This attack can be generalized in a number of ways to give fine-grained information about which users are where.

[hjasond]

Good point, I should have stated most enterprise users.

I agree with your example. It does present an additional risk if an attacker has the ability to add content to a domain or subdomain the user has set to bypass the proxy.

In my opinion, for users who need to access intranet resources in addition to public internet resources, the risk is higher with the current all or nothing approach. Because the proxy must be manually disabled and re-enabled each time, the odds of a user forgetting to re-enable the proxy after visiting an intranet resource are high, leaving them exposed.