Quick Links
WPAD, Explained
Windows vs. Other Operating Systems
What's the Risk?
How to Disable WPAD on Windows 8 and 10
How to Disable WPAD on Windows 7
Web Proxy Auto-Discovery (WPAD) gives organizations a way to automatically configure a proxy server on your system. Windows enables this setting by default. Here's why that's a problem.
WPAD is really useful when an organization like your company or school needs to configure a proxy server for your connection to their network. It saves you from having to set things up yourself. However, WPAD can cause problems should you connect to a malicious public Wi-FI network. With WPAD enabled, that Wi-Fi network can automaticallyconfigure a proxy server in Windows. All your web browsing traffic would be routed through the proxy server while you're connected to the Wi-Fi network---potentially exposing sensitive data. Most operating systems support WPAD. The problem is that in Windows, WPAD is enabled by default. It's a potentially dangerous setting, and it should not be enabled unless you really need it.
Related: Why Using a Public Wi-Fi Network Can Be Dangerous, Even When Accessing Encrypted Websites
WPAD, Explained
Related: What's the Difference Between a VPN and a Proxy?
Proxy servers---not to be confused with virtual private networks (VPNs)---are sometimes required to browse the web on some business or school networks. When you configure a proxy server on your system, your system will send your browsing traffic through the proxy server rather than directly to the websites you visit. This allows organizations to perform web filtering and caching, and may be necessary to bypass the firewalls on some networks.
The WPADprotocol is designed to allow organizations to easily provide proxy settings to all devices that connect to the network. The organization can place a WPAD configuration file in a standard place, and when WPAD is enabled, your computer or other device checks to see if there's WPAD proxy information provided by the network. Your device then automatically uses whatever settings the proxy auto-configuration (PAC) file provides, sending all traffic on the current network through the proxy server.
Windows vs. Other Operating Systems
While WPAD might be a useful feature on some business and school networks, it can cause big problems on public Wi-Fi networks. You don't want your computer to automatically configure a proxy server when you connect to a public Wi-Fi network in a coffee shop, airport, or hotel.
That's why most operating systems disable WPAD by default. iOS, macOS, Linux, and Chrome OS all support WPAD, but it is turned off out of the box. You have to enable WPAD if you want your device to automatically discover proxy settings.
Related: How to Configure a Proxy Server on a Mac
This is not true on Windows. Windows enables WPADby default, so it will automatically configure the proxy server settings provided by any network you connect to.
What's the Risk?
If your system is configured to use a dangerous proxy by a malicious Wi-Fi network, your browsing could be vulnerable to snooping and other attacks.
Related: What Is HTTPS, and Why Should I Care?
HTTPS encryptionnormally helps protect the content of your browsing on sensitive websites. So, when you connect to your bank's website, you might be redirected to an address like
https://your_bank.com/account?token=secret_authentication_token . Normally, anyone snooping on the network would just see that you're connected to
https://your_bank.com and wouldn't know the full address. But, if your PC is browsing through a proxy server, your computer tells your proxy server the full address, which could contain potentially sensitive information.
Related: Secure Your Online Accounts By Removing Third-Party App Access
The proxy server could also modify web pages you access. Even if you're accessing secure HTTPS pages that the proxy can't tamper with, the proxy server couldredirect you to fake login pages in an attempt to capture your passwords and other sensitive details. The attackers could also steal OAUTH authentication tokens, which are used to sign into other websites by using your Google, Facebook, or Twitter user credentials.
This isn't just a theoretical risk. Security researchers demonstrated WPAD attacksat DEF CON 24 in the summer of 2016. We haven't seen any reports of this attack being used in the wild, but it's still a risk.
How to Disable WPAD on Windows 8 and 10
On Windows 10, you'll find this option under Settings > Network & Internet > Proxy.On Windows 8, the same screen is available at PC Settings > Network Proxy. Just turn the "Automatically detect settings" option off to disable WPAD.
How to Disable WPAD on Windows 7
On Windows 7, you can disableWPAD through the Internet Options window. Head to Control Panel > Network and Internet > Internet Options. Note that you can also use this method on Windows 8 or 10, if you like.
In the "Internet Properties" window, switch to the "Connections" tab and click the "LAN settings" button.
In the "Local Area Network (LAN) Settings" window, clear the "Automatically detect settings" check box, and then click "OK" twice to save your settings.
Even if you do need to use a proxy, you'll be more secure if you specify the precise address to an automatic proxy configuration script (also known as a .PAC file) or manually enter your proxy server details. You won't be relying on WPAD, which could allow your proxy settings to be hijacked on public Wi-Fi networks.
- Features
- iOS
- Linux
Your changes have been saved
Email Is sent
Please verify your email address.
You’ve reached your account maximum for followed topics.
Manage Your List
Follow
Followed
Follow with Notifications
Follow
Unfollow
Readers like you help support How-To Geek. When you make a purchase using links on our site, we may earn an affiliate commission. Read More.
