Setup Scenario

2 posts, 0 answers
  1. Matt
    Matt avatar
    1 posts
    Member since:
    Oct 2014

    Posted 13 Oct 2014 Link to this post

    Hey Guys,

    I was just referred to Fiddler by someone who claims to want to use it in a similar way as myself.

    What I am looking for is somewhat of a total web-block but with whitelist exception.   Currently in policy we have this implemented via a IE proxy site exclusion list where the proxy defined is a dummy IP / Port.

    This seems to work fine for static sites, with no 3rd party XSS or referrer domains...  We are running into a scenario now wherein we are moving to 0365 in the cloud.   I had run a http trace as well as looked up the official MS documentation of all required URL/Domain space to whitelist.   Even just this, and using TLD declarations, the list is pretty long.  Further there seem to be all sorts of other referenced sites and files, which aren't explicitly whitelisted.  All on top of other providers sites which have their own sites they call in the background, which causes issues while waiting for DNS and the fake proxy to timeout.

    Rumor has it Fiddler can allow an explicitly whitelisted domain be allowed to also allow traffic / connections to sites that the whitelisted site references...

    Is this true??   Can it be used in conjunction with WPAD (which is the model we hope to move to)

    Can anyone give me some pointers or info as to where to start??  I suppose by validating or crushing my current understanding.. ;-)


  2. Eric Lawrence
    Eric Lawrence avatar
    832 posts

    Posted 13 Oct 2014 Link to this post

    Hello, Matt--

    Fiddler can completely control your browser's use of HTTP and HTTPS, allowing or forbidding sites based on any criteria you can generate based on the request.

    Fiddler cannot somehow "magically" allow "references from pages that were themselves whitelisted"-- the closest you could come to that is to look at a request and if it's not to a whitelisted host, you could examine the HTTP Referer header and look to see if it mentions a whitelisted host, and if not, you could even search previous responses from the whitelisted host to see you can find a reference to that URL, but this is an extraordinarily complex problem. 

    It's also not clear what problem you'd hope to resolve with a "transitive whitelist" approach, since any given "Office document" could refer to untrusted 3rd party websites that contain malicious or illegal content or whatever.

    Eric Lawrence

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

Back to Top