HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: December 2006

IE7 - Phishing vs. Privacy

Today I was testing WebInspect on my newly installed version of Vista with IE7 and found something startling.  When running a browser through a proxy you can see soap requests being made to Microsoft as you hit each page.  Here is what the requests look like.

POST /urs.asmx?MSPRU-Client-Key=l7m7EvM2K/IVNQCBF7AVPg%3d%3d&MSPRU-Patented-Lock=XdXWSI8WgDg%3d HTTP/1.1

Accept: text/*

SOAPAction: "http://Microsoft.STS.STSWeb/Lookup"

Content-Type: text/xml; charset=utf-8

User-Agent: VCSoapClient

Host: urs.microsoft.com

Content-Length: 648

Cache-Control: no-cache


<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"><soap:Body><Lookup xmlns="http://Microsoft.STS.STSWeb/"><r soapenc:arrayType="xsd:string"><string>http://zero.webappsecurity.com/pindex.asp</string></r><ID>{B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F}</ID><v soapenc:arrayType="xsd:string"><string>7.0.6004.6</string><string>7.00.5824.16386</string><string>7.0.6000.16386</string><string>6.0.6000.0.0</string><string>en-us</string></v></Lookup></soap:Body></soap:Envelope>


You can see in the soap envelope the full URL of the site I am browsing.  Upon further investigation, this is how IE7 implements their real time Phishing notification.  In the settings of IE you will find the option to disable or enable this under “Phishing Filter”.  This raises a some serious questions, here are just a few that I can think of:

1)      I don’t recall being notified that this was occurring.  Now I am the first to admit I don’t read every installation page, disclaimer or EULA but I would think this would be a BIG screen explaining the setting and the consequences of the option.

2)      Everyone knows you can trust MS with personal data, but this is a bit much.  The ability to track every single web page that is visited is needless to say powerful information.

3)      Why in the world does Microsoft feel it necessary to check INTERNAL ADDRESSES for phishing web sites?  Yes, this actually happens.  I browsed to a 172. address and a request with the full internal IP was sent to Microsoft.

4)      Post data and query data is not submitted, but what are the implications of websites that keep session state in the URL or user sensitive information (seen in URL rewriting).  This data being transferred to a site other than the one I am visiting, even though via SSL, still does not give one a warm fuzzy feeling.

5)      What are the other parameters in the request used for?  Client-Key?  It this key really tied to me?  If so, is it really necessary for MS to know this to inform me of a phishing site?

Feel free to comment on other implications that you can think of. 

Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.