Feeds

back to article German publisher accuses Microsoft of URL sniffing

Is Microsoft “snooping” on Skype text conversations, or merely protecting users from malware URLs? German publisher Heise Online has given that question prominence with the accusation that Redmond is snooping, as the result of receiving return visits from Microsoft IP addresses if they send HTTPS URLs through Skype text chats. …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Could somebody please remind me

what was Microsoft saying about a certain company that ruthlessly invades privacy of their users ?

14
1
Anonymous Coward

Re: Could somebody please remind me

probably something about reprehensible behaviour unworthy of any reputable company, why?

1
0
Bronze badge

Sign in requests

I don't know what useful information you can get from HTTP headers, but using replayed sign-in, a header request would obviously be safer than a full page request (you will always be able to do a stateless header request).

And clearly, using a replayed sign-in is how you test if a malicious site is using stealth tactics to hide from view a malicious payload. Such sites are already known to hide from AV companies, so this seems like an obvious test.

2
4
Bronze badge
Thumb Down

I don't trust Redmond, but..

What I actually think is going on is a hidden criminal gang within their organization - or at least a few rotten insiders. I have clients who were attacked within the supposedly trusted Partner's network, and Microsoft just puts a blind eye on it, and doesn't do anything to check on the complaints as near as I can tell. They need to look in their own back yard as well as police the botnets.

5
2
Bronze badge
Big Brother

Does anyone know

what they are doing, if they really find such a malicious link in a online conversation?

Do they remove the link from the conversation? Do they block the sender for distributing malicious links?

And what is their definition of a malicious link? Do they filter links to jailbreak projects, warez sites, p2p software, etc?

And not the least of all - why do they monitor private conversations, anyway? In some countries that might even be illegal by itself.

8
0

Re: Does anyone know

Microsoft did this with MSN and later filtered malicious sites detected this way, their legal team know it's safe to do.

0
0
Bronze badge

If you're passing sign on credentials in a url, you are doing it wrong.

11
0
Silver badge
Big Brother

Do you trust them?

I think it was President Clinton who let slip that the Echelon project collected data useful to USA corporations as well as it's intended use.

I stopped using Skype the moment MS bought it.

You'd be nuts to run your business using Office 365.

My MS trust level = 0

http://en.wikipedia.org/wiki/ECHELON

8
1
Bronze badge

"You'd be nuts to run your business using Office 365".

@ Mystic Megabyte

Too right, mate. It's common knowledge that even countries within the EU are aiming industrial espionage at each other. To store any commercially sensitive material in the cloud is just asking for it to be borrowed. Whatever assurances MS might offer, they are subject to US government control, formal and informal.

9
0
Bronze badge
Mushroom

Re: "You'd be nuts to run your business using Office 365".

Its still better than Google Apps though - both in terms of functionality and privacy....

1
5

Re: "You'd be nuts to run your business using Office 365".

"Its still better than Google Apps though..."

Google Mail is apparently the choice of CIA operatives in Moscow, if recent reports are to be believed.

I think it is always sensible for users to think about the location and jurisdiction applying to any services or servers that they use and how those jurisdictions may treat foreigners and their data.

4
0
Bronze badge
Mushroom

Re: "You'd be nuts to run your business using Office 365".

"Google Mail is apparently the choice of CIA operatives in Moscow, if recent reports are to be believed."

Errm, and the secret services are well known for disclosing the tools of their trade? It might be the choice for personal use, but i don't think you will find any of the CIA as has yet outsourced itself to Google Apps....The US Government prefers Office 365: http://finchannel.com/Main_News/Tech/127568_Businesses_choose_Microsoft_Office_365_over_Google_Apps/

0
3
Anonymous Coward

That's not the biggest issue

The report said that when they passed unencrypted, http, links these weren't checked, only the encrypted, https, ones were.

How would Microsoft get to know of malicious sites if it doesn't scan the whole page for viruses to start with, so sending a head is useless?

It is probably just to do with the agreement that Microsoft have with the US government to record their users activities and retain them for a set period. Some thought that this would be likely to happen after Microsoft took over Skype.

9
0
fpx
Unhappy

No End-to-End Encryption

I used to think that Skype conversations were encrypted end-to-end. That Microsoft is even able to intercept any URLs proves that this is not the case, that they are technically capable of snooping on any messages and voice conversations.

Given that you have clicked-through their terms of use, I'm sure that authorities will argue that there is no expectation of privacy in Skype conversations and calls, and that therefore no warrant is required to siphon them into their databases.

7
0
Bronze badge
Mushroom

Re: No End-to-End Encryption

You thought wrongly then:

http://paranoia.dubfire.net/2012/07/the-known-unknows-of-skype-interception.html

1
1
Bronze badge

Sorry, but any URL that you post into a third-party service, you have to assume someone else can see it. It doesn't really matter if it's Skype, Facebook, XMPP, or anything else.

And anyone using sites with authentication information contained in the URL? Sorry, you deserve what you get. Even HTTPS sessions. The data is encrypted for a reason, and the URL *NOT* encrypted for the opposite reason - with cookies etc. there's no excuse for the URL to contain authentication within them.

Anyone this is an issue for? Don't go copy-pasting URL's into chat conversations that might give away details that you don't want to give away. If there's no way to transmit URL information WITHOUT revealing your authentication etc. details - stop using that site. Or at least tell people how to log in for themselves rather than copy-paste your own direct links.

It's not a security issue, but maybe a simple privacy issue. And I'm sure there's a clause in Skype/MSN/Google Talk and anything else that they may monitor conversations for the purposes of security etc.

And, if you're REALLY that worried, use OTR encryption via a third-party plugin through whatever IM provider you prefer.

4
1
Silver badge
FAIL

@Lee D

Even HTTPS sessions. The data is encrypted for a reason, and the URL *NOT* encrypted for the opposite reason - with cookies etc

Wrong. The URL and all headers are encrypted as part of the https stream.

The only part that is not encrypted is the remote host name.

1
0
Anonymous Coward

No longer P2P

I think fpx is onto the real story here. AFAIK Skype used to be peer-to-peer. Your IM was on your machine, the machine of the person you are talking to, and passed (encrypted) through some random supernodes along the way. This story demonstrates that the model has changed. Either all Skype IM is now passing through Redmond and getting decrypted there (= bad) or the Skype client is parsing the IM conversation and sending tasty morsels back to Redmond (= also bad). Sounds like vanilla Skype is now equivalent to TOM-Skype.

When Microsoft threw $8.5 billion on the table, my first thought was "I wonder if the NSA is funding this deal".

7
1

What's the problem!?

If it's a publicly accessible webpage, there is every chance another person is going to access it at some point. And whether they're using GET or HEAD, it's nothing more than any search engines do.

And as someone else said, if you are really that bothered about it, don't share it over a public network.

0
2
This topic is closed for new posts.