
Https URLs posted in private Skype chats visited by Microsoft - epaga
http://translate.google.com/translate?sl=auto&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&eotf=1&u=http%3A%2F%2Fwww.heise.de%2Fsecurity%2Fmeldung%2FVorsicht-beim-Skypen-Microsoft-liest-mit-1857620.html
======
onemorepassword
People who defend this under the heading of "it's their service, don't use it
if you don't like it", or "they're doing this for your convenience" completely
miss the point.

There is a reason why we had strict regulations (a dirty word on HN, I know)
for "old fashioned" mail and telephone. To eavesdrop on people's private
communication was considered a disgusting practice that belonged in
totalitarian regimes, and an unacceptable violation of people's rights.

Modern online services have circumvented such regulations, but that doesn't
make what Microsoft, or Facebook, or Google are doing any more ethical or
socially desirable.

All of this casual disregard for basic ethics can't continue without a serious
backlash. And such a backlash won't just hit Microsoft e.a., but our entire
industry.

It's time we stopped considering ourselves to be untouchable just because the
law hasn't caught up yet, or because the majority of the people haven't
figured out what the fuck we're doing.

Some changes through technology are unstoppable. This however, isn't one of
them. It's a choice.

~~~
jjcm
Disclaimer: I work for MS. My opinions are my own, but they are biased.

I think we need to make a distinction between automated services and humans
eavesdropping. I'd feel weird if someone was snooping in on my conversations
and clicking my links, but on the other hand I very much appreciate the little
bot that sits in my IRC channel and displays the title of any page linked.
Both monitor the chat and access links, but I value one and feel weird about
another. I don't think there's a way to truly make a distinction between the
two though, and I think saying, "nothing is ever allowed to access your
communications" removes the possibilities for a lot of added functionality
(the link bot being just the base camp of the mountain of things that are
possible). I think the better choice here is to ensure that the public has a
way to communicate securely, and that our mental model of "trust usually,
distrust as the exception" needs to move to "distrust usually, trust as the
exception". This is similar to how sudo works in a way - we maintain a lower
level of security usually for the convenience, then escalate only when needed.

~~~
np422
Just no. Plain and simple NO!

We don't need to make any distinctions. Private conversations are private.

And gentlemen don't read each others mail. Automated or otherwise.

------
wting
When MS bought Skype they changed supernodes from peers to company owned Linux
boxes.[0] This change gives them the ability to eavesdrop on any conversation.

My friend "Alice" (a Chinese national studying in the US), recently sent a
present to her friend "Bob" in the Chinese army and talked about it on Skype.

The Chinese Army found out that Bob was receiving a gift from the US and
tracked down the relevant Skype conversation. Bob was interrogated about Alice
and what the gift was for.

Microsoft complies with all governments' legal requests, as it should. I have
no doubt the US government has made similar requests of MS.

Skype's original protocol made eavesdropping harder, but not after the changes
Microsoft made.

[0]: [http://arstechnica.com/business/2012/05/skype-
replaces-p2p-s...](http://arstechnica.com/business/2012/05/skype-
replaces-p2p-supernodes-with-linux-boxes-hosted-by-microsoft/)

~~~
aleksi
It has nothing to do with Microsoft and Linux boxes. They host headless Skype
version for p2p network reliability: [http://blogs.skype.com/2012/07/26/what-
does-skypes-architect...](http://blogs.skype.com/2012/07/26/what-does-skypes-
architecture-do-2/)

Your story is all about China. Skype for China is "special":
[https://en.greatfire.org/blog/2012/dec/china-listening-
skype...](https://en.greatfire.org/blog/2012/dec/china-listening-skype-
microsoft-assumes-you-approve)

~~~
duaneb
Regardless of their supposed intentions (which they could easily lie about--
this IS a business we're talking about), the supernodes do allow very easy
eavesdropping given a warrant.

------
uncoder0
I tested this with Facebook a while back. I put two videos up of various
lengths and linked to them directly by IP in Facebook chat. I also included a
restrictive robots.txt. In both cases Facebook downloaded the entire videos
from my server. I repeated the experiment with several other providers and the
results were varied. Skype, for example, does not download the entire video
and seems to respect the robots.txt...

Not sure if this is still the case for Skype but, I just tested on FB again
and they pulled the whole video...

~~~
0x0
Isn't that typically done to show thumbnail previews under the pasted links?

~~~
choult
Facebook generally will present the OpenGraph data from pasted links; for
sites lacking it they might present the first image on the page.

It would be vast overkill to download a whole video just to present a
thumbnail, and the user experience in the delay while the whole file is
downloaded and processed would render the feature fairly useless.

Which leaves the question of why Facebook would do this open... It might just
be really bad practice and an under-/non-optimized crawler.

~~~
Cthulhu_
Or they download the whole video to pull it through an analyzer to look for
stuff prohibited to be republished via FB, such as child pornography. If I
were FB, I'd screen everything published via my site.

~~~
pyre
Right, because we have automated software child pornography recognizers.

~~~
runamok
They already have image algorithms to detect nudity with a good degree of
accuracy so that's probably enough to forbid an image or video.

~~~
pyre
Like _that_ won't cause a shitstorm. A social networking site that won't let
people trade possibly nude images privately?

~~~
kamjam
I don't think he's talking about necessarily private, but they detect nudity
on the "publicly" available images available in your albums which your friends
an see...

[http://petapixel.com/2012/11/25/facebook-removes-risque-
phot...](http://petapixel.com/2012/11/25/facebook-removes-risque-photograph-
of-woman-showing-an-elbow/)

------
pbhjpbhj
So, you post a comment in a private Skype "please don't visit this link, it's
copyright and reproduction of a single copy requires a license at a cost of
$10 million USD due to the sensitive nature of the content". You make sure the
link is to a brand new unshared domain with robots.txt denying access.

MS download and you've got them on copyright infringement for which there is
no apparent excuse outside of wilful negligence.

What's the multiplying factor the MPAA use for copyright infringement,
something like 1000 times the regular licensing fee.

...

4) Profit

~~~
VikingCoder
Worse, you make it destruction.

"Bob, if you should ever need to delete 100% of the content that I've created
for you, you would follow this URL. Let me be clear, it will destroy USD
$1,000,000 worth of goods."

~~~
oinksoft
Well per the HTTP standard, GET requests should be idempotent. I kid, but
imagine seeing pompous development advice stapled to official justification
for some internet sleuthing!

~~~
andreyf
I didn't realize this was part of a standard. Could you link to the section
you're referring to?

~~~
jschulenklopper
From RFC 2616 (Fielding et al) at
<http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html>

"In particular, the convention has been established that the GET and HEAD
methods SHOULD NOT have the significance of taking an action other than
retrieval. These methods ought to be considered "safe". This allows user
agents to represent other methods, such as POST, PUT and DELETE, in a special
way, so that the user is made aware of the fact that a possibly unsafe action
is being requested."

The document section also makes a distinction between "safe" and "idempotent"
methods. That's not the same thing.

~~~
iguana
Lots of web apps are still implemented along the lines of: GET
/foo?action=delete&item=x

A less naive implementation would also include a crumb to mitigate CSRF as
well as unintentional access.

~~~
vidarh
Yes, and you regularly see notes about how [some bot] has caused some
developer to learn why this is bad practice whenever a link like that gets
accidentally exposed in a way that allows crawling.

------
watt
they have english version already:
[http://www.h-online.com/security/news/item/Skype-with-
care-M...](http://www.h-online.com/security/news/item/Skype-with-care-
Microsoft-is-reading-everything-you-write-1862870.html)

you don't need to run it through translator.

~~~
recoiledsnake
From the article:

"A spokesman for the company confirmed that it scans messages to filter out
spam and phishing websites. This explanation does not appear to fit the facts,
however. Spam and phishing sites are not usually found on HTTPS pages"

From the very next story down from the same publication:

[http://www.h-online.com/security/news/item/Trojans-
conceal-t...](http://www.h-online.com/security/news/item/Trojans-conceal-
themselves-using-instant-messaging-protocols-1789045.html)

"The company has reported that, since 2009, some malware has been concealing
its data traffic by mimicking known instant messaging protocols or, to avoid
detection, trying to camouflage its data traffic as HTTP or HTTPS. To achieve
this, these trojans copy at least the header of the instant messaging
protocol, leaving the remainder of the packets to carry the trojan's encrypted
communications."

Looks like they're contradicting themselves here to score some click-bait
headlines.

~~~
Dylan16807
What is the contradiction? A program might be able to 'camouflage' its data as
HTTPS to a casual observer but that has nothing to do with HTTPS urls. An
HTTPS url won't work unless it's real. Therefore such a thing provides zero
justification towards checking HTTPS urls.

~~~
vidarh
The only thing that is required to make a https url "real" is that it is
hosted on a server that serves up a certificate that is valid for that domain.
It's trivial enough to obtain a valid cert anonymously (shell company with
bearer shares somewhere suitable) or find places to upload the malware that
makes it available on https urls.

~~~
Dylan16807
It requires actually implementing SSL, which is a lot more work than using
port 443 and faking a couple headers.

Am I misreading the word 'camouflage'? I read it as 'pretends to be' not '
_actually uses_ '.

Even if the trojan is using HTTPS, that is _still not a reason to scan HTTPS
URLs_. The command and control network is completely orthogonal to the links
given to users to try to infect them.

~~~
vidarh
The main reason to scan urls _at all_ would be to identify potential malware
to be able to prevent users from visiting them.

------
mtgx
Is any of the big IM companies going to offer OTR encryption by default or
what?

It's not like they could make a ton of money by monitoring the chats, and even
if they did, they _shouldn't be doing that_ anyway. At least with e-mail they
have an excuse for not using local encryption (it gets too complicated for the
end-user), but they can't really use that excuse for chatting.

So why isn't OTR enabled like _yesterday_ in Gtalk, Skype and Yahoo Messenger?
(by default of course, otherwise 99% of the users won't use it).

~~~
exDM69
> So why isn't OTR enabled like yesterday in Gtalk, Skype and Yahoo Messenger?
> (by default of course, otherwise 99% of the users won't use it).

In order to comply to requests from law enforcement agencies, end-to-end
encryption is not used by public companies offering communication services.

~~~
mtgx
Is this an official thing, like are companies legally forced to not offer it?
Or is it more of an "unwritten" policy, that in order to "make law enforcement
happy" they don't offer that type of encryption?

~~~
yajoe
(Worked on RMS and Exchange)

The govt comes by with a subpoena (secret, classified, or public) and requires
Microsoft or the customer company to produce communication records that exist
in a form that may be used as evidence. Failure to do so is best contempt of
court and worst obstruction of justice. No 5th amendment privilege for other
people's crimes. So everyone who chooses to store or process messages makes it
so the encryption is reversible and they can honor court requests. Nothing is
private as a result.

EDIT: I should make it clear I don't agree with the current status quo. Let me
answer two very good questions.

> Would they also do that if logging failed during the period requested?

If it can be shown that there is a willful neglect of collecting logs then the
govt in the past has gone after companies for some form of conspiracy (most
famous: MegaUpload, but Microsoft customers have had their fair share for
accounting and securities fraud) or criminal negligence. There is a prevailing
theory that companies are responsible for employee actions, and failing to log
is seen as unacceptable.

It's only recently (within the last year) that the courts have ruled whether
compelling passwords is protected by the 5th amendment, and most systems in
place were designed and built using previous assumptions from 10 years ago.

> If this is true, why is OTR offered at all?

It's a checkbox feature required for HIPAA, PCI, and similar. "Must have
encryption" -- the standards and IT departments don't say how the keys are
managed.

~~~
jlgreco
They would get them for contempt of court or obstruction of justice for being
not unwilling but rather _unable_ to fulfill the request?

That seems wrong. Would they also do that if logging failed during the period
requested? Or if they simply neglected to log in the first place?

Edit to your Edit: I don't see how the 5th is involved in the slightest. If
party A has a secret, and the courts subpena party B, then party B's inability
to comply has nothing to do with pleading the 5th. They simply do not have the
information requested, and in fact never possessed it in the first place.
Furthermore, party B cannot possibly be said to have been negligent. The
courts subpenaed the wrong person.

~~~
yajoe
The point about the 5th amendment is that prior to last year's ruling, it was
assumed that passwords (or private keys) could be compelled for _any_ reason
in the US, and systems were built with that assumption. I recommend you look
into legal disclosure or e-discovery products. Not right or wrong, but that's
the design assumptions backed by a bunch of lawyers in govt and private
sector.

The example is incomplete. In messaging systems, Party A uses Party B to send
messages, which may be useful for a court case. The government may reasonably
subpoena Party B to produce Party A's records since they may not want to alert
Party A that it is under investigation.

If Party B (the service provider) has any feature that makes use of the
content of Party A's secrets (read: url-checking, auto-loading thumbnails,
indexing for search, some types of routing, etc), then there is little ground
for Party B to argue it can't decrypt Party A's records for the subpoena.
Further, Party B may become a co-conspirator if it keeps incomplete records or
destroys records too quickly. Even if the co-conspirator charge is remote and
hard to convict, most service providers would prefer to avoid the publicity of
such a court case and add decryption anyway.

~~~
jlgreco
The entire point of this discussion is that Party B should be constructing
their service in such a way that Party A never gives them their secret. Party
B would then be able to keep complete and perfect records, turn over all of
those records at the drop of a hat, and _nevertheless_ be unable to reveal
Party A's secret.

Think PGP + Gmail, except that unlike usual, Google provides you with download
of PGP.

The court could subpena Google, and Google could give the courts my PGP
encrypted communications. However they would be _unable_ to give them my
private key and declaring them to be in contempt of court for that would be a
_massive_ miscarriage of justice.

PGP is a pain in the ass to use. However we have more streamlined technologies
currently available that provide the same properties in this scenario. What is
upsetting to people in this discussion is that companies like Skype are not
employing such systems. We know Skype is not because they are employing one
such "feature" that you mention (url-checking). They are therefore employing a
system that _does_ leave them open to having private information subpenaed.

~~~
yajoe
This is a good discussion.

You're absolutely right in describing the theory behind PGP (or GPG for the
purists :), but unfortunately there is not yet a way to build a messaging
service that has both features AND privacy. The _should_ in your statement
"Party B should be constructing their service" implies and expects a
capability that is not (yet) possible to build. The point of my posts were to
illuminate the reasoning companies make it easy to decrypt for the US
government due to their exposure from in-demand content-aware features and
fear of legal action.

Like you said, PGP+Gmail sucks for all parties included on a chain. Clients
stop working. Non-users can't read the emails. Gmail spam filtering, ads,
search indexing, and labeling all break. The same is true for PGP+Exchange,
and most corporate customers much prefer Exchange features to the privacy
offered to individuals with PGP.

I'm also not aware of 'more streamlined services' that offer true privacy --
please illuminate them if they exist. Services like Voltage suffer from the
same root cause of reversible encryption.

So, customers have to choose: use a service with content-aware features OR use
a dumb service that (currently) does not have the features. Most people choose
features, and I would venture in this case Microsoft opted for features over
pure privacy.

I would be among the first to welcome a way to accomodate both pure privacy
and features in a service, and I encourage all to find a way. Please build it!

------
pornel
It proves that Microsoft is able to decrypt chats and that's unfortunate.
Switch to application that has end to end encryption if that's important (e.g.
Jabber with OTR protocol on top <http://en.wikipedia.org/wiki/Off-the-
Record_Messaging>).

But making HEAD or GET requests, whether it's HTTPS or not, shouldn't be a
problem — those HTTP methods are not allowed to have any significant side
effects.

Scanning of URLs is useful for such service that is often abused to send spam,
phishing and exploits.

------
marshray
If you want to chat privately, use OTR <https://en.wikipedia.org/wiki/Off-the-
Record_Messaging>, authenticate your key fingerprints, ensure that neither
party's chat program is logging, and that both computers are free of malware.

------
celerity
If you don't control it, treat it as virtually public. I do that with Skype,
Gmail, Google Docs, iCloud stuff, Evernote, Dropbox etc.

Don't trust it if you can't encrypt it with a private key.

~~~
hughes
What IM protocol do you use? Or do you simply restrict all sensitive
communication to encrypted email?

~~~
seanmcdirmid
Lync is used by a lot of enterprises.

------
cddotdotslash
Well if you're passing session data in a URL (logins or passwords as
parameters, not the typical one-click to activate one-time links) you're doing
something wrong. Second, Microsoft has no way of distinguishing a normal URL
from a URL that has an &password parameter at the end. And finally, perhaps
one of their bots is simply crawling the link to, like Facebook does, display
a link summary or thumbnail. Or, as the article says, looking for spam.

I think it's pretty well documented at this point that Skype is not a secure
video/chat product. But for the 99.9% of users outside of the "never read my
data" echo chamber, it seems to be working fine for them. Use what works for
you.

~~~
sp332
If you paste a "one-click to activate one time" link into a Skype session, the
bot will click the link and then it won't be valid anymore for the legitimate
recipient. That's a terrible idea.

~~~
Ergomane
The "one-click to activate one time" links should always lead to a page where
the user has to perform a POST to prevent "smart" applications from using the
token when trying to show a thumbnail / preview or offer other services.

eg KDE (old) <http://drupal.org/node/24398>

------
biafra
Probably a better translation:
[http://www.h-online.com/security/news/item/Skype-with-
care-M...](http://www.h-online.com/security/news/item/Skype-with-care-
Microsoft-is-reading-everything-you-write-1862870.html)

------
X4
Here's the Skype Icon I made, when it wasn't clear what type of "Federal
Trojan" the German Governmnent developed and used.

<http://image-upload.de/image/4f96S5/4af43ed70c.png>

I suspected Skype was used, because it would be the most effective way to spy
citizens.

Today Skype, Facebook and Gmail are valueable resources for a Orwellian
Surveillance Government.

These Skype Security articles are worth reading:

<http://en.wikipedia.org/wiki/Skype_security>

[http://www.ossir.org/windows/supports/2005/2005-11-07/EADS-C...](http://www.ossir.org/windows/supports/2005/2005-11-07/EADS-
CCR_Fabrice_Skype.pdf)

[http://cryptanalysis.eu/blog/2011/12/28/encrypted-traffic-
mi...](http://cryptanalysis.eu/blog/2011/12/28/encrypted-traffic-mining-tm-e-
g-leaks-in-skype/)

<http://en.wikipedia.org/wiki/Skype_protocol>

------
ziko
Basically everything on the internet is coming a postcard rather than a letter
in an envelope. I'm not sure I can accept that.

------
huhtenberg
There is a similar problem with SmartScreen, also courtesy by Microsoft.

You, basically, send an email with a link to someone in Europe only to see it
being accessed from some random US IP that doesn't even have a PTR record.
With some effort this IP can be traced back to SmartScreen, but what's strange
is that it sometimes takes hours for the URL to get hit from such IP. This
doesn't make _any_ sense whatsoever, because SmartScreen is supposed to be a
pro-active defense against phishing and malware, so it should really be
scanning new links in real-time, upon reception. This scenario is arguably
even more troublesome than Skype's snooping, because it's not possible to
predict beforehand if the mail will end up getting SmartScreen'd.

[0] <http://en.wikipedia.org/wiki/Microsoft_SmartScreen>

~~~
nivla
I am confused, I thought SmartScreen was for downloaded files and website
visted through Internet Explorer. What does it have to do with emailing links?
Also as far as I understand, SmartScreen only sends in the hashes/part of the
hashes to get a match.

------
rayhoffman
Think about the combination of this monitoring with the U.S. CISPA data-
sharing provisions:

Microsoft says they are logging and pulling the content of links shared via
Skype for spam and malware prevention. This certainly falls under the umbrella
of "cybersecurity". Under CISPA, this "cybersecurity" information can be
freely shared with the U.S. government without fear of liability, and can be
further shared among all government agencies.

This sharing is probably happening already. But CISPA would allow it to be
brought out into the open and, particularly, for evidence so acquired to be
used in court proceedings and as supporting evidence for search warrants.

------
dewiz
I suppose no one is using gmail, gtalk, g+, g hangout, yahoo mail, etc etc
here?

The web is open, putting credentials in urls is stupid, and complaining about
spider hits is too.

If you think your URLs are safe because no one KNOWS about them, you are
simply doing it wrong. Hopefully your URLs are not changing any server side
resource, otherwise you have a bigger problem than a spider.

Have you considered those spiders might be verifying that you are not spamming
your friends, e.g. your computer could be infected and MS is trying to help
your friends?

~~~
vidarh
> If you think your URLs are safe because no one KNOWS about them, you are
> simply doing it wrong.

Case in point: I regularly bring up test web servers on my home server on
weird ports, and Googlebot regularly finds them; I don't particularly care -
anything I want to be private I password protect, but these are sites that are
linked from nowhere. But there's any number of acceptable way it could find
them: Some of the tools I use have default setups of Google Analytics that'd
leak any urls I visit on them; I often click through links to other public
sites from them, and any of those sites might leak the referrer.

So I agree with you that you should expect that URLs stay private.

But you can still have privacy expectations about the _exchange_ of a public
URL. E.g. someone might not like the thought that there is potentially a
record that they're visiting certain embarrassing sites.

The reason there is a shitstorm over this is not that Skype is necessarily or
even likely doing anything nefarious with the URLs, but that people had an
expectation of privacy about their conversation that they then found out
clearly is not being met.

If Skype/MS wants to scan every link, or retrieve them and put the contents on
billboards in public spaces, there's nothing inherently wrong with either
option. What is wrong is not realising that the actions they are taking are at
odds with peoples privacy expectations and making sure to communicate what
their actual expectation should be to users.

------
jokoon
It's funny to watch documentaries about the collapse of the soviet union and
then read about US companies doing this.

As long as a government is not doing it, I don't really any problem. But if
american companies sell those tech to other countries, maybe there's a
problem. Aren't there laws that prevent US companies to sell spying tools to
some countries ?

I really think that as time pass, the world will want more and more p2p or
pseudonymous/anonymous techs to evade such problems.

------
wslh
Someone tried putting terrorist related texts/images/videos in gmail or some
other webmail to see if a third-party tries to read your information?

It's a good honeypot.

------
alinspired
I can confirm a case of http (not httpS) link sent in skype accessed from
microsoft.

Access happened from 65.52.100.214 about 6hrs 40 minutes after I shared it in
skype. There were 4 http requests, while I shared the link with 2 people.

Unfortunately the server logs are not detailed enough to understand what
exactly been requested, given the page was under basic http authorization
(with credentials NOT in URL).

~~~
alinspired
This suddenly escalated from "thread on HN" to personal encounter and
realization that probably all Skype messages worldwide are stored by MS
FOREVER...

------
atomaka
This doesn't seem to be an uncommon practice. If you still use AOL Instant
Messenger, it does the same thing.

~~~
hosay123
Within 15 minutes of setting up a https CI environment, complete with
robots.txt, Googlebot was hitting the DNS name which also wasn't public or
previously used or easily guessed.

All the team use Gmail and one was using Chrome.

~~~
TheAnimus
Isn't that part of the TOS for Chrome? They use your browsing activity to
improve the search results.

I remember a storm in a teacup about MS doing this via their browser toolbar.

~~~
nivla
Google gets a lot of leeway from people. If you have done SEO, you will learn
that the Googlebot doesn't always respect the robots.txt. Requesting to de-
index a page may take weeks or even months. The quickest way is file a DMCA
complaint for the link to your own site.

Recently, they started tracking all downloads made on Chrome (for malwares),
it includes the filename, the URL, IP and the timestamp. Sucks hard since I
love Chrome and the only way to disable it is to disable the website malware
checker (which only uses part of the hashes anyway).

------
buraksarica
If MS doesn't request a GET operation, is this still a privacy issue? The
writer is bombing his/her own theory with saying "MS cannot understand if the
site is phising related or not, by just sending HEAD request".

------
bifrost
This happens when you install toolbars as well, you think a URL is private,
then all of a sudden private URL's are getting hits from googlebot/etc. Its
not a big leap to assume that this happens in anything else...

------
namank
The real concern would be if login credentials were sent through Skype and
Microsoft used those to gain unauthorized access.

------
timrogers
Facebook does this as well - they will hit any URL you post. This doesn't
prove any malice, in fact, quite the opposite.

~~~
sp332
But Facebook doesn't pretend to have a secure network. Skype often claims to
have a secure, encrypted network.

~~~
justncase80
It don't think visiting links nullifies the security and quality of encryption
of a network.

~~~
sp332
If someone visited a link, that means they read it. Which means it was
decrypted, which means it's not encrypted and secure.

~~~
timrogers
That seems like something of a bizarre argument - there's a different between
a computer reading it and a person doing so. I'm not convinced privacy is
infringed if it goes through, perhaps detects particular phrases (which are
presumably related to illegal activity in any case) and checks links for
malware. I don't have a problem with that.

~~~
sp332
You have no evidence for any of that. You literally just made that up. We
don't know what people or what computers have this information, how long they
are keeping it, or what they are doing with it. See, if the communications
network was really secure, we would have an answer for all those questions.

------
BadCRC
couldn't they be using this to prevent/detect spam?

edit: the article claims this can't be so because the page only does a HEAD
request, though a HEAD request could be useful if you wanted to detect an
HTTPS domain with ephemeral pages (which perhaps, could be a good feature in
detecting spam domains)

~~~
tlow
FTA: No. It is not a fitting explanation for spam or phishing prevention. The
author claims that these sites rarely use https.

Furthermore they used test URLs containing hypothetical login credentials and
showed how skype would get access to these.

The last troubling bit the author points out is that there seemed to be
anomalous traffic to URLs shared in a skype conversation, where a microsoft IP
seemed to attempt what they call a "replay attack".

~~~
nivla
> It is not a fitting explanation for spam or phishing prevention.

It is very common for spammers to break into other websites (using simple well
known exploit) and create links redirecting to the site hosting the malware.
So a site should not be excluded just because it has SSL.

Edit: "should" -> "should not"

~~~
tlow
Is it possible that you meant to say _not_ as in "a site should _not_ be
excluded just because it has SSL"?

~~~
nivla
Yup sorry, that is what I meant to write: "should not".

------
justncase80
There's no such thing as a private URL.

------
GigabyteCoin
It's probably just an algorithm checking that page for javascript
exploits/drive by downloads/etc.

------
shmerl
People still use Skype? Some never learn.

~~~
skeletonjelly
What do you use then? Skype fits the bill for a lot of people.

~~~
shmerl
XMPP and Jingle. OTR with ZRTP on top of that.

------
recoiledsnake
Alternate headline: Microsoft protects hundreds of millions of Skype users by
going to the effort of checking even https URLs in chat for malware and spam.

~~~
cooldeal
Reminds me of this HN post.

"New Skype malware spreading at 2,000 clicks per hour to mine Bitcoins"
<https://news.ycombinator.com/item?id=5502028>

One of the choice top HN comments:

"Why does Skype even have any clickable links in it at all if Microsoft can't
be bothered to keep the obvious malware out?"

Another comment:

"Re the conclusion: to protect yourself, don't run an OS that will silently
install software just because you clicked on a blue link in a program
published by the OS vendor. Steve Ballmer should be jailed as an accessory for
allowing this."

Damned if they do, damned if they don't.

~~~
VikingCoder
The browser follows the link. The browser can absolutely be checking for
malware links, and warning you before you follow them. And you should be able
to configure your browser to not do that, if you don't want it to.

So, it's not "damned if they do, damned if they don't," from my point of view,
they have to do it in the right place. Within Skype itself is absolutely not
the right place.

~~~
username3
The article doesn't mention which browser the reader and colleagues used to
open the link. It could be IE checking the links and not Skype.

~~~
jdmichal
It's not even using a HTTP GET request that a browser would. It's a HTTP HEAD
request.

------
OGinparadise
Apparently it says so on their privacy page:
<http://www.skype.com/en/legal/privacy/> _Skype may use automated scanning
within Instant Messages and SMS to (a) identify suspected spam and/or (b)
identify URLs that have been previously flagged as spam, fraud, or phishing
links. In limited instances, Skype may capture and manually review instant
messages or SMS in connection with Spam prevention efforts. Skype may, in its
sole discretion, block or prevent delivery of suspected Spam, and remove
suspicious links from messages._

If phishing and malware was spread thanks to skype, what would people say?

