
Windows 10 has an undocumented certificate pinning feature - XzetaU8
https://hexatomium.github.io/2016/09/24/hidden-w10-pins/
======
shawkinaw
> So this very much looks like evidence of an active system-wide certificate
> pinning mechanism protecting against MITM attacks on high-value Microsoft
> domains. Which, per se, is a good thing!

I feel like a broken record, but no, if you can't turn this off, _it is not a
good thing!_ It means you can never use an HTTPS proxy and know exactly what
data is streaming off of your computer.

~~~
dpark
Given that products like Fiddler still work against live.com domains on
Windows 10, either the pinning isn't enabled, Fiddler knows how to bypass it,
or this isn't actually related to pinning.

~~~
ccrush
Or maybe the pinning isn't for IE, but for Windows sending MS hidden
information it doesn't want you to know about.

~~~
dpark
That's an awfully large list of domains for "hidden" telemetry. Hard to
imagine why all of those would be specified for that. e.g. Some of those are
just landing pages.

Disclosure: Microsoft employee

------
Jaruzel
Could this list of domains be used as one-stop-shop to block all Windows 10
snooping?

~~~
yakult
It's like plugging leaks on a sponge boat. You don't know that a. there isn't
several lists, or b. they won't add it somewhere else with a future update or
even c. they won't just steganographically insert it into other innocuous
traffic to counter packet sniffing and hardware firewalls. Once you stop
trusting the OS maker, you can't trust the OS.

~~~
kobayashi
While MS using steganography seems a bit far fetched, I can't agree more with
your final statement. I simple don't trust MS anymore, and it's a sad state of
affairs.

~~~
eDameXxX
> I simple don't trust MS anymore

You just "simple" don't trust Microsoft. What about other big companies, for
example Google? Do you trust them or not? Why?

Do you trust Apple/Facebook/<put_here_another_big_company_with_users>? Why?

~~~
iotku
>You just "simple" don't trust Microsoft.

It's either a mistake/or English isn't their first language, regardless your
wording and use of quotes makes this sound aggressive or insulting. (This sets
the tone for the rest of the comment)

You understood what was meant.

>What about other big companies, for example Google? Do you trust them or not?
Why? Do you trust Apple/Facebook/<put_here_another_big_company_with_users>?
Why?

As for me personally, I don't trust most large companies very much. Many large
companies have a goal to collect a lot of data on you and potentially sell
that data, and that's ignoring Government snooping etc.

But I still use many of their services despite that. There's a trade off to be
made and occasionally it can be worth it, I just try not to give out more data
than necessary.

As for Microsoft and Windows/Windows 10 specifically the stakes are higher.
Assuming I'm running a Microsoft OS I'm dependent that it's operating in my
best interests, everything I do on a computer is run through the OS. If my OS
is compromised by the vendor (in this case Microsoft) they can collect a lot
of data about me and my habits against my will.

The counter argument is usually something around the lines of "Well
Google/Apple is doing all this stuff and worse!" with their mobile operating
systems, which may be true. The difference is I don't use my phone for
critical tasks or the majority of them, partially for that reason.

We've already lost the battle with phones, but I still want my PC to be
sacred, even though it might not actually be 100% possible.

------
eeZi
An attempt to do something similar with netfilter/Linux:
[https://github.com/fredburger/xt_sslpin](https://github.com/fredburger/xt_sslpin)

Recent fork:
[https://github.com/Enteee/xt_sslpin](https://github.com/Enteee/xt_sslpin)

Someone's blog post about it:
[https://duckpond.ch/networking/security/2016/09/09/xt_sslpin...](https://duckpond.ch/networking/security/2016/09/09/xt_sslpin.html)

/r/netsec discussion:
[https://www.reddit.com/r/netsec/comments/52me9w/xt_sslpin_ma...](https://www.reddit.com/r/netsec/comments/52me9w/xt_sslpin_match_ssltls_certificate_finger_prints/)

I like the idea.

------
satysin
Telemetry related of course. Shame it is not properly documented. As with all
things closed source we have no idea how this works, when it is updated or if
it is possible to ignore it totally.

~~~
besselheim
Looking at the list of domains, they appear to be almost entirely unrelated to
telemetry.

Most likely this feature is a response to incidents such as this:
[https://www.wired.com/2011/03/comodo-
compromise/](https://www.wired.com/2011/03/comodo-compromise/) (in which certs
for login.skype.com and login.live.com were misissued by Comodo).

Blocking the domains in this list to prevent telemetry, as suggested in other
comments, would prevent access to most of Microsoft's online services. This
includes third-party websites hosted on Azure that aren't using their own
custom domain (.azurewebsites.net), and all software updates, including
critical security patches.

~~~
TazeTSchnitzel
I recall seeing a list of telemetry domains, and it's quite different.

This is a list of user-facing sites.

~~~
dirtbox
Correct. I made a quick dump of the telemetry hosts here:
[https://cl.ly/hZ3q](https://cl.ly/hZ3q)

If you have win10, you can add this to your hosts file. The optional portion
of the list will block store items, the email client and even things like the
Groove media player, so use it as you will.

~~~
lightedman
Given the OS is known to be able to ignore its own HOSTs file, you're better
off doing this directly in your router, if that is a possible option.

~~~
dirtbox
Unless you have a source that shows otherwise, I only know if it doing that if
it's formatted wrongly, which is going to be a problem with most things.

------
aceperry
Windows has lots of undocumented "features."

In all seriousness, I'm not sure this is a good thing.

------
woliveirajr
> Edit 1 (2016-09-24): This seems to be - at least partially - related to
> Telemetry, as briefly mentioned at the only page I could find:
> [https://technet.microsoft.com/en-
> us/itpro/windows/manage/con...](https://technet.microsoft.com/en-
> us/itpro/windows/manage/configure-windows-telemetry-in-your-organization)

So some are related to telemetry, but probably not all them

------
SanPilot
This is why I always run open source software on my systems.

~~~
divbit
If you are taking this as an argument for e.g. linux over Windows, Certificate
pinning is a good thing though? It helps prevent mitm attacks, as stated in
the article.. (Not to say that you shouldn't run linux )

------
RyJones
interesting that they are pinning certs for -int domains (integration testing)
but not -ppe (pre production)

perhaps they no longer use -ppe?

