IE7 - Phishing vs. Privacy

Today I was testing WebInspect on my newly installed version of Vista with IE7 and found something startling.  When running a browser through a proxy you can see soap requests being made to Microsoft as you hit each page.  Here is what the requests look like.

POST /urs.asmx?MSPRU-Client-Key=l7m7EvM2K/IVNQCBF7AVPg%3d%3d&MSPRU-Patented-Lock=XdXWSI8WgDg%3d HTTP/1.1

Accept: text/*

SOAPAction: "http://Microsoft.STS.STSWeb/Lookup"

Content-Type: text/xml; charset=utf-8

User-Agent: VCSoapClient

Host: urs.microsoft.com

Content-Length: 648

Cache-Control: no-cache

 

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"><soap:Body><Lookup xmlns="http://Microsoft.STS.STSWeb/"><r soapenc:arrayType="xsd:string"><string>http://zero.webappsecurity.com/pindex.asp</string></r><ID>{B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F}</ID><v soapenc:arrayType="xsd:string"><string>7.0.6004.6</string><string>7.00.5824.16386</string><string>7.0.6000.16386</string><string>6.0.6000.0.0</string><string>en-us</string></v></Lookup></soap:Body></soap:Envelope>

 

You can see in the soap envelope the full URL of the site I am browsing.  Upon further investigation, this is how IE7 implements their real time Phishing notification.  In the settings of IE you will find the option to disable or enable this under “Phishing Filter”.  This raises a some serious questions, here are just a few that I can think of:

1)      I don’t recall being notified that this was occurring.  Now I am the first to admit I don’t read every installation page, disclaimer or EULA but I would think this would be a BIG screen explaining the setting and the consequences of the option.

2)      Everyone knows you can trust MS with personal data, but this is a bit much.  The ability to track every single web page that is visited is needless to say powerful information.

3)      Why in the world does Microsoft feel it necessary to check INTERNAL ADDRESSES for phishing web sites?  Yes, this actually happens.  I browsed to a 172. address and a request with the full internal IP was sent to Microsoft.

4)      Post data and query data is not submitted, but what are the implications of websites that keep session state in the URL or user sensitive information (seen in URL rewriting).  This data being transferred to a site other than the one I am visiting, even though via SSL, still does not give one a warm fuzzy feeling.

5)      What are the other parameters in the request used for?  Client-Key?  It this key really tied to me?  If so, is it really necessary for MS to know this to inform me of a phishing site?

Feel free to comment on other implications that you can think of. 

Comments
(anon) | ‎12-19-2006 03:28 PM
Is this any different from what Google does with the PageRank indicator on the Google toolbar? I'm not sure how else Microsoft or anyone else would implement a phishing filter. I personally disabled the phishing filter for precisely this reason.
(anon) | ‎12-19-2006 03:29 PM
According to Microsoft, this feature was turned off by default? So you did turn it on right? (see Phishing Filter at http://www.microsoft.com/windows/ie/ie7/privacy/ieprivacy_7.mspx).

They claim that search terms are removed but they also say, "If you are concerned that an address string might contain personal or confidential information, you should not report the site." Got any examples of such a site?
(anon) | ‎12-19-2006 03:42 PM
I believe that when you upgrade to IE7, you're given a notice about turning the phishing option on or off. I faintly remember it explaining something about sending web site address to Microsoft to check against a phishing database, but I’m sure it didn’t got into details about what information it actually sends…and how much. Since IE7 comes preinstalled with Vista, I don't think users are prompted with the same information.
(anon) | ‎12-19-2006 03:44 PM
During the install or the first time you run IE7, it asks you if you want to turn Automatic Phishing Filter On. It shows On as the recommended option.
(anon) | ‎12-21-2006 01:30 PM
Men... This is why i'm proud of using Ubuntu!
(anon) | ‎12-21-2006 02:38 PM
this is FUD
(anon) | ‎12-21-2006 03:42 PM
Is there a way to check if those keys are bind to your copy of windows?
(anon) | ‎12-22-2006 01:57 PM
Exactly, how did you saw it?
How can I reply this test?
I'm running IE7 on WinXP, and I see only encrypted data when IE checks for the site trustworthiness..
(anon) | ‎01-07-2007 09:44 AM
Let me tell you... we soon will not know the meaning of privacy. This world is heading towards humans being herded like cattle. These big companies want to know what you are doing and what you are seeing so they can sell you more and you will buy more. Big brother is here! They impliment these changes... little steps at a time. You are right to be concerned.

Watch the movie called "America Freedom to Fascism". It was produced Aaron Russo who made other movies like ("The Rose," "Trading Places"). It will be one of the most important films you will ever see in your life.

http://video.google.com/videoplay?docid=5355374476580235299&q=aaron+russo+american

God bless you.
Darius
(anon) | ‎06-07-2007 05:21 PM
(anon) | ‎09-10-2007 09:52 AM
BTW, nice that this info is send also when Phishing is turned off!
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation