
Microsoft, stop sending user identifiers in clear text - ramen-hero
https://annoyedmicrosoftuser.blogspot.com/2015/10/microsoft-stop-sending-user-identifiers.html
======
eponeponepon
Intriguing that this renders Tor essentially transparent in some contexts -
that could almost seem by design.

I guess (unless Tor is completely broken) that there would still be more
legwork involved in associating traffic from the endpoint with its
corresponding traffic into Tor, but even "user logs into that service through
Tor" is still a pretty fertile datapoint. Obviously Microsoft would be able to
see that pretty easily anyway, but why would they make it easy for others to
see it too?

~~~
_nedR
>Intriguing that this renders Tor essentially transparent in some contexts -
that could almost seem by design.

I would have commented on your tinfoil hat, except for what Microsoft did to
Skype post-acquisition:- Completely rewriting its protocol architecture from
one which was P2P with end-to-end encryption and practically impossible to
wiretap or monitor, to a centralized architecture (ostensibly for scalability
reasons) which made it much more easier to wiretap or obtain metadata.

[http://www.zdnet.com/article/skype-ditched-peer-to-peer-
supe...](http://www.zdnet.com/article/skype-ditched-peer-to-peer-supernodes-
for-scalability-not-surveillance/)

[http://www.theguardian.com/world/2013/jul/11/microsoft-
nsa-c...](http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-
collaboration-user-data)

Here's a choice quote from the above article.

"In July last year, nine months after Microsoft bought Skype, the NSA boasted
that a new capability had tripled the amount of Skype video calls being
collected through Prism;"

~~~
throwawaykf05
When I heard about the "re-centralization" of Skype, I ran an experiment. I
set up calls with a couple of people in various locations and monitored my
network connections (on OSX I used nettop). Voice and video traffic is still
direct P2P. It was the same when I tried it again last year. Not that I did
not investigate messaging connections, nor group video chats, not mobile
usage, all scenarios where a centralized service may be more useful.

However this gels with their explanation that they have only centralized the
call setup servers for reliability and voice/video traffic for mobile devices
where P2P is not very feasible. On laptops and PCs, where P2P remains
feasible, traffic is still routed directly been peers.

Now I haven't run the same experiment in the past year, but I hope somebody
will, and that too at larger scale. Given this forum is "hacker" news, there
is a distinct lack of technical investigation to verify technical claims, and
a disturbing propensity to take tech media for its word, especially when
biases are being confirmed.

~~~
pdkl95
Are you suggesting that the ability to log _metadata_ ("call setup") isn't
important?

Few people care about the _contents_ of VOIP calls. The relationship maps you
can generate from the metadata is far more useful.

Also, "reliability" doesn't make sense as a reason to centralize skype. Being
very generous, it is a workaround for the problem of NAT removing the average
user's ability to self-publish on the internet.

~~~
throwawaykf05
Sure metadata could be important, but I'd argue it's only useful in
identifying who some agency might want to wiretap _next_. Without the actual
content of the calls you don't know if somebody is talking to a collaborator
or ordering in.

 _> Also, "reliability" doesn't make sense as a reason to centralize skype._

I've written a P2P app or two. The NAT issues that you handwave are a huge
problem. It's not just the connectivity of nodes, it's the symmetry in which
nodes are reachable. NAT and general internet weirdness make this a much
harder problem than it needs to be. I had to do a significant re-architecting
when I ran into these issues during internal testing, and I had less than two
dozen users!

The next problem is latency. By the time you wait to discover a suitable
supernode and for your "hello" message to reach your target peer, you will
have already connected and started communicating with your peer if you use a
centralized "registry" server.

This is compounded by churn. Even if there's a single intermediate hop in your
routing, your chances of a successful message delivery drop drastically when a
peer can leave anytime. Think about how you use your laptop and how long you
keep it running and how abruptly you close it. The move towards laptops away
from desktops means average node uptime is reducing sharply, without even
considering the move to mobile.

This is further compounded by the need for presence for the case of Skype. You
don't want to find a peer is unreachable _after_ you start a call. This
implies the need for a global state. But without central server, this can only
be achieved with DHT, where the first two problems are even worse. Note the
existing DHTs are all used for long running "sessions" where the session is
the availability of a torrent. User presence is a lot more ephemeral.

And there's the original problem for P2P apps, of course: bootstrapping. Peers
don't come online knowing all their other peers on the Internet. There has to
be a way for them to discover each other, which, without Internet-wide
multicast, means a central server. If you're going to have to solve this
problem, you might as well solve the others.

There is actually a thread on p2p-hackers mailing list about this exact issue.
Many experienced P2P devs agreed that whenever you can get away with a
centralized solution, you should go for it. In this context, partially
centralizing Skype as they did makes complete sense.

------
vbezhenar
Another concern: modern HTTPS use SNI standard and those who sniff your
traffic, can extract the hostname from this traffic, because it's not
encrypted yet. So DNS sniffing is not necessary, if I understand everything
correctly.

I would consider that as misuse of DNS. User id must be in request parameter
or path, not in hostname.

------
_nedR
While you're at it Microsoft, please also give a way for users to remotely log
out all active sessions on other computers and devices.

~~~
mglinski
It's a terrible hack, but changing your Skype password via their website does
log you out of all active sessions within a 2-5 minute timeframe. A friends
Skype got "hacked" via a third party botting a message to all of his contacts,
and as soon as I changed the password the spam stopped and soon after his
local client logged out.

~~~
r00fus
It's not a hack... this is exactly what is guaranteed for OAuth2 servers that
follow spec to deauthorize all tokens.

------
Kiro
How should Microsoft resolve this? Not using CIDs at all?

~~~
po1nter
Not include them in the (sub)domain name?

~~~
Kiro
So it's fine to use them in the query string?

~~~
_nedR
So long as the query is passed over HTTPS, it is encrypted. But the
domain/subdomain info is not concealed by HTTPS.

------
jo909
Isn't the real point that one should not be able to obtain that much
information simply by knowing some user id or user name?

I would guess plenty of services include the username in some URLs.

Edit: of course the autor also stated that, but more as a side note. Leaking
the CID would not be a problem if there wasn't any futher information to be
gained.

~~~
pdkl95
It is well known that unique identifiers are used to identify general internet
traffic as the host moves to different IPs. This works even when the
_intended_ meaning of that identifier isn't known.

[https://www.eff.org/deeplinks/2013/12/nsa-turns-cookies-
and-...](https://www.eff.org/deeplinks/2013/12/nsa-turns-cookies-and-more-
surveillance-beacons)

~~~
jo909
Fair argument that every unique id or name makes you trackable, but that is a
much bigger (and IMHO long lost) battle on so many fronts, and it does not
seem very fair to single out Microsoft here. And I don't think that is the
motivation of the author either.

~~~
pdkl95
I'm absolutely not singling out Microsoft, and I'm not sure why you would
think I was.

Anybody that is regularly putting a unique identifier in plaintext network
traffic is harming their users, and that goes for Microsoft embedding CIDs in
dommain names, Verizon with their X-UIDH vandalism, Google's 3rd-party
tracking cookies, and the like similar.

Also, you will never win a war if you give up the fight. This battle is
absolutely _not_ "long lost". The only way that could be true is if you give
up, thereby self-fulfilling the prediction.

------
nv-vn
Let's not forget the whole Skype thing where knowing a user's ID is enough to
edit any of their messages.

------
bargl
If you can look up skype Id by CID then this also opens your IP up to
discovery. Which is a really big deal for people who stream (like my little
brother).

But I have no confirmation that is possible or not. Just speculation.

~~~
mdpopescu
As far as I know, this used to be a big problem in the Starcraft 2 pro gamer
community, before everyone switched to naming their account "||||||||" or some
such. (They would get DDOSed a lot.)

------
philliphaydon
Everyone seems to talk about what MS should do, and why it's bad. But I wonder
why the people working on these systems do not think or feel the same, and
want to fight internally to fix it etc.

------
aembleton
I noticed that my bank (Halifax) sends a long numerical code to webtrends for
every page that I visit. The code that it sends seems to be unique for each
session.

This is blocked by uBlock but it is concerning.

~~~
spydum
Different problem. That session identifier is probably unique to each session.
The complaint here is that the CID is always the same for you, and can be used
to look up more information (your profile)

~~~
bboreham
And it's sent as part of the host, hence plaintext.

