Galinakot | 9 years ago | on: New attack that cripples HTTPS crypto works on Macs, Windows, and Linux
From the briefing:
We will demonstrate that, by forcing your browser/system to use
a malicious PAC (Proxy AutoConfiguration) resource, it is
possible to leak HTTPS URLs.
Would be interesting to see the exploit in action. However, malicious PAC redirection has existed for a while [0].
What isn't quite clear is whether this would work even with HSTS sites.
The takeaway seems to be that never trust any unknown network.
[0] https://blogs.technet.microsoft.com/mmpc/2014/02/28/maliciou....