A top security researcher has called for Microsoft to rethink aspects of its Suggested Sites feature in IE8. The optional feature in the next version of Microsoft's browser allows users to "discover websites you might like based on sites you've visited", as Microsoft explains it. When the feature is activated, the addresses of …
first to say
ITS OPTIONAL- people need to not bitch, same kinda thing as with tv shows, don't like it , change the channel!
Makes perfect sense to me.
If you go to a URL that has a login and you fill this in and bang on the button then, if the site concerned then passes you to say: blah.blah.com/insideinfo&userid=jbloggs, then MS get the whole thing including the "jbloggs" bit you filled in on page one.
What's not to understand? The key bit here is "information associated with the web address" and the fact that they then go on to state that they don't take anything from the rendered page doesn't conflict with this at all.
e.g. For a real world example, typing a load of cobblers into Google produces a URL of: http://www.google.co.uk/search?hl=en&q=a+load+of+cobblers&meta=
Peer Guardian and block all MicroCrap sites
Why is this possible useful, surely it sets alarm bells ringing in everyone's head the moment that they see this new 'feature'??
Personally, the only thing that I can see that this would be even slightly useful for is finding out if there is anything in the known universe that is better than thehun for late night shuffling material...
2nd Rate University
Drivel from a 2nd Rate University researcher......
Nobody should rely solely on "security by obscurity" or any information submitted as part of a URL (including session id values) as a means of securing any kind of non-public data.
Don't go mouthing off about Microsoft being the problem when the people that cause the real problems are the morons who design inherently insecure websites that any kid with half a brain could hack.
Switching on suggested sites
is a prat fall .
If you don't want to gift Microsoft a complete list of everything you have browsed, simply leave it off. Or upgrade to a proper web browser instead.
"Peer Guardian and block all MicroCrap sites"
Yes, because hacks based on blocking implementation details are so much better than just TURNING THE DAMN THING OFF. If you're a big company, than you mandate that by group policy. Sorted.
"still waiting for a clarification"
Well, while you're doing that, you could always refresh your memory of the explanations that we all gave you in the comments last time. Now put down the whip, and step away from the horse, it's not like the poor thing even knows you're there.
first force the purchase of IE
And then this?
95% of consumers do not know they have been ****** with IE. They think it is free even when they paid cash money when they got it.
And, yes, some even claim IE is free (so shut up and use it).
Just don't send any URLs produced from a <form> element.
Richard raises a good point
If people want to let MS know where they surf that's their business, but MS is going to have to be very careful how they share those URLs with the public (which is, after all the point of the feature). The safest thing would be to share only the domain name, but as Richard points out that might not be enough if the site is something like Blogger that include a million different sub-sites. But sharing the whole URL would risk giving away user IDs or even (on an exceptionally poorly made site) passwords. But it seems to me theres a middle ground.
And come to think of it, it has alot to do with "search terms or data you entered in forms", AKA query strings. Basically URLs have three levels of detail. "example.com", "example.com/example.php" and "example.com/example.php?foo=example&bar=sample". The middle one should almost always be safe to share, and still provide enough detail to work with most sites. But the last one could definitely be a privacy risk. Ideally IE8 wouldn't even send that part back to MS, only the part to the left of the "?".
black hats will love it
Just another way that they can use to game the MIcrosoft universe.
Sure MS will check all those submitted sites you just "visited" for loading your system with malware? We know how good the automated systems from Microsoft are on checking for malware. Call me cynical, but here we have another GREAT new feature that will help PCs getting infected...
@first to say
As long as its not turned on by default when IE is installed.
Yet another feature I don't need or want
This is another solution for advertisers to drum up traffic and a solution for Microsoft to charge for the service. I don't need any "suggestions" for where to surf. I've been doing it quite nicely on my own without any help.
Trust Microsoft at your own peril
This company is downright against your personal needs vs. the needs of their shareholders.
It's quite comical!
- Tricked by satire? Get all your news from Facebook? You're in luck, dummy
- Feature TV transport tech, part 1: From server to sofa at the touch of a button
- Google straps on Jetpac: An app to find hipsters, women in foreign cities
- Updated Microsoft Azure goes TITSUP (Total Inability To Support Usual Performance)
- The Return of BSOD: Does ANYONE trust Microsoft patches?