See here: http://billing.handsonwebhosting.com/knowledgebase.php?actio...
As he says:
"I haven’t checked whether Windows SmartScreen does in fact use SSLv2, but the fact that the Microsoft servers support it is concerning."
Yeah, maybe check next time before you shout that the sky is falling.
If you are concerned about the privacy issue (MS getting requests indicating what was installed - not the bogus MITM claim), disabling this is offered in the privacy settings, and it is even put in front of your face during OS install. Also, all major AV products do the same thing, except they're not as transparent about it.
Nothing to see here.
The point of my article isn't SSLv2, it's privacy concerns. Also, I did actually check and disabling SmartScreen doesn't seem to be offered during OS install, did I miss something?
Thanks for the disgusting ad-hominem! It totally aids your missing the point.
Edit: Whoa, I think I've figured out why this guy is being so personal; his submission history includes promoting a security company I left after a brief stint. Small world!
Edit: Just updated the article with information on that!
In general, though, I think we're at the point where we can stick a fork in the trust model we've been using up to this point. 2v3/TLS 1.1/EC+DHE isn't the issue, and the more time we spend talking about those issues, the less time we spend focusing on fixing the fundamentals of internet security 3-5 years from now, which we need to actually get right this time.
Microsoft already gathers lots of information from customer experience improvement data and crash dumps and stuff like that, and goes to tremendous efforts to ensure that it is never traceable back to an individual. I don't know for sure but I'd be surprised if the same policies were not in play here also.
What's the default behavior? I think we've all had experiences (or know of) of not-entirely-reading all things and ending up with eight new IE taskbars installed.
You wouldn't personally care if messages were intercepted regarding the apps you're installing, but imagine the kind of leverage it would give someone trying to profile a network of activists in Syria. The exact version number of every app on every computer, perfect for studying the exploit surface.
First they came for the socialists,
and I didn't speak out because I wasn't a socialist.
The base-64 encoded strings in the request are the HTTP referrer and the download location, respectively. The "client key" and "MAC" seems to be API key-like authenticators. Not sure what the GUIDs are about.
Anyway, the use of this data has been explained in quite a bit of detail a long time ago already: http://windows.microsoft.com/en-US/windows-vista/smartscreen....
As said elsewhere already, the feature is easy enough to turn off. And there is definitely an opt-in question somewhere, as I had to enable the feature on my machine in order to test it...
If one loads an app on Facebook or searches on Google or even visits a commercial website one's privacy is likely to be compromised.
None of this makes Windows behavior entirely devoid of causing concern, but in my opinion, Microsoft is more trustworthy filling that role than the crapware antivirus providers who have been doing it for years.
Malware protection requiring surrendered privacy seems a pretty crappy "feature." Why can't Microsoft do better?
Yes, and no.
(besides, if you can just tamper with the filesystem you're kinda in already)
Exactly, most users being the key point. You need to target all this stuff for the lowest key denominator and unfortunately for those of us on HN... but at least we have the knowledge that this exists. I think krautsourced point stands.
Damn if you do, damned if you don't!
How much more of this will we take before enough people demand privacy again? What event has to happen? On our phones, applications can't even be downloaded until monitored and approved by the corporation (one step further than this). Our desktops have been moving in this direction for some time already.
Probably when actual privacy issues surface, not this "zOMG Microsoft collects a hash and IP!" nonsense. Between crash dumps, the CEIP, and other downloads directly from their site, this is a complete and total non-issue.
I'm not saying I support it, but what I am saying is I would feel very uncomfortable knowing that my computer company would instantly inform the police if I downloaded "suspicious software" regardless of my purpose, but that's just a glimpse of where I see their next move being after the idiocy of ACTA and all the recent changes to privacy laws.
I imagine there's little likelihood that this capability could have impeded the Arab Spring since Microsoft wouldn't have cooperated, but it seems like this would create a vulnerability for Microsoft doing business in China. If China decided they wanted to more actively monitor software intended to bypass firewalls and circumvent censorship policies, I wonder how effectively could Microsoft could resist.
You should think of Tor as a tool for everyone, where we all cooperate to increase our privacy, and have anonymity when we need it.
- iTunes and App Store
- Windows Phone marketplace, MSDN, upcoming software marketplace
- Amazon App Store and Google's Play Store
- Chrome Web Store and Firefox's add-on marketplace
- Ubuntu Software Center, packet managers in general
- Facebook's App Center
- Github, Google Code and SourceForge
I doubt there's anyone on HN who doesn't have a long history with a lot of names on that list. Almost every piece of software and game I have on every device I use has come via this list.
But I'm sure all of these .. centralized installation hubs I guess .. are reasonably vindicated by their privacy policies - where everyone's idea of 'reasonably' is different and most of them aren't like ours.
Large scale MITM, though, isn't, through compromised CA's, etc. That threat is much more severe and affects basically all software that relies on SSL/TLS (whatever version) for securing a connection or the CA system for validating the authenticity of downloads. That's a much more serious problem.
If MSFT is indeed not honoring opt-out of CEIP and other programs, the issue is them not honoring that preference. The particulars of the encryption built on top of a broken model are not the issue.
Please, explain why this in particular is so bad. It's tracking in a sense, but they are not going to use it to violate privacy.
The SafeBrowsing protection in Firefox downloads the entire malware/phishing database from Google in a highly compressed format, through incremental updates, and this is completely uncorrelated to what you visit.
If an URL you browse to is found as a match in that local database, then and only then is a lookup to a remote server done to check if the compressed URL was not a false positive, and if it's still up to date. This lookup isn't even of the URL you visited, but of the SHA-256 of it. This allows to verify if it was a known malware URL, but it is not possible to reverse it and obtain your URL if the hit was a false positive (due to the compression).
Firefox has some additional privacy protection here in that it will check a whole bunch of random entries from the local database whenever there is a hit, so even the party at the other end (Google) can't tell what malware URL, if any, you actually hit.
Google has added an additional, undocumented SafeBrowsing service to Chrome to check downloaded files, and that one does send the URL off to Google for scanning, but Mozilla has refused to implement this feature in Firefox until the privacy concerns can be addressed.
Note that, aside from being much better for privacy, using a local database is obviously of much higher performance than contacting a remote server for every URL.