How To: Disable WPAD on Your PC So Your HTTPS Traffic Won't Be Vulnerable to the Latest SSL Attack

Disable WPAD on Your PC So Your HTTPS Traffic Won't Be Vulnerable to the Latest SSL Attack

You may not know what HTTP is exactly, but you definitely know that every single website you visit starts with it. Without the Hypertext Transfer Protocol, there'd be no easy way to view all the text, media, and data that you're able to see online. However, all communication between your browser and a website are unencrypted, which means it can be eavesdropped on.

This is where HTTPS comes in, the "S" standing for "Secure." It's an encrypted way to communicate between browser and website so that your data stays safe. While it was used mostly in banking, shopping, and other high-security situations, it's now common for many websites such as Facebook, Google, and even Wikipedia to protect your information with HTTPS. And it's most important when you're browsing the internet on free Wi-Fi hotspots, guest networks, and other non-private access points.

But that "security" isn't so secure anymore, thanks to some security researchers that will be presenting at this years Black Hat security conference in Las Vegas.

You're in a potentially malicious network (free WiFi, guest network, or maybe your own corporate LAN). You're a security conscious netizen so you restrict yourself to HTTPS (browsing to HSTS sites and/or using a "Force TLS/SSL" browser extension). All your traffic is protected from the first byte. Or is it?

[B]y forcing your browser/system to use a malicious PAC (Proxy AutoConfiguration) resource, it is possible to leak HTTPS URLs. . . . We will present the concept of "PAC Malware" (a malware which is implemented only as Javascript logic in a PAC resource) that features: a 2-way communication channel between the PAC malware and an external server, contextual phishing via messages, denial-of-service options, and sensitive data extraction from URI's.

Talking with ArsTechnica, Itzik Kotler of SafeBreach, clarified:

We show that HTTPS cannot provide security when WPAD is enabled. Therefore, a lot of people are actually exposed to this attack when they engage in browsing via non-trusted networks.

What does all this mean exactly, in laymen's terms? What you actually do on those HTTPS sites is still safe from prying eyes, but the full URL that you visit is not. It sounds innocent enough, but if that URL contains a security token, it could allow hackers to gain full control of your account. WPAD is fairly simple for hackers to take advantage of with MitM tools easily available for Metasploit, and has been exploited before in other ways.

This attack can be carried out on Linux, Mac, or Windows systems, but primarily the latter since it is the only one that is enabled by default with Internet Explorer. WPAD is not automatically enabled in Mac OS X or Linux, nor on Safari, Chrome, or Firefox browsers, so you shouldn't have to do anything on your end to protect yourself unless you use Microsoft Windows.

How to Disable WPAD in Windows

To disable WPAD in Windows, you'll need to make an easy registry edit, as StackExchange user laktak points out:

  1. Click the Start button, and in the search field, type in "regedit", then select "regedit.exe" from the list of results.
  2. Navigate through the tree to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad.
  3. Once you have the "Wpad" folder selected, right click in the right pane, and click on "New -> DWORD (32-Bit Value)".
  4. Name this new value "WpadOverride".
  5. Double click the new "WpadOverride" value to edit it.
  6. In the "Value data" field, replace the "0" with a "1", then click "OK".
  7. Reboot the computer.

If you're interested in this PAC Malware attack from a hacker's perspective, make sure to check out Itzik Kotler and Amit Klein's presentation at Black Hat 2016, which is scheduled for August 3, 2016 sometime between 4:20 to 5:10 p.m. PST.

Just updated your iPhone? You'll find new features for Podcasts, News, Books, and TV, as well as important security improvements and fresh wallpapers. Find out what's new and changed on your iPhone with the iOS 17.5 update.

Cover photo by Sergey Soldatov/123RF


Or use gpedit

Group Policy Editor
Edit "Default Domain Policy"
User Configuration
Windows Settings
Connection/Automatic Browser Configuration
Automatically detect configuration settings -> DISABLE

Will this work for Windows 10?

Does it affect Chrome?

Chrome has wpad disabled by default. However it may still be enabled in the OS.

Share Your Thoughts

  • Hot
  • Latest