[WEB SECURITY] IE7 Phishing Filter Tells Microsoft The URLS You Visit?

Shane Forsythe shane at ces.fau.edu
Wed Dec 20 09:10:14 EST 2006


By default install , Firefox 2.0 downloads a list a known phishing sites 
every 30 mins or so I believe.  Any sites you goto are checked, locally, 
against that list.  If you go into Tools->options->security , you see 2 
options
 - Check using a downloaded list of suspected sites   (default selected)
 - check by asking google (<- drop down choices) about each site

When you check the second option, a LARGE popup box comes up with this text

"If you choose to check with Google about each site you visit, Google 
will receive the URLs of pages you visit for evaluation. When you click 
to accept, reject, or close the warning message that Phishing Protection 
gives you about a suspicious page, Google will log your action and the 
URL of the page. Google will receive standard log information 
<http://www.google.com/privacy_faq.html#serverlogs>, including a cookie, 
as part of this process. Google will not associate the information that 
Phishing Protection logs with other personal information about you. 
However, it is possible that a URL 
<http://www.google.com/privacy_faq.html#urls> sent to Google may itself 
contain personal information. Please see the Google Privacy Policy 
<http://www.google.com/privacypolicy.html> for more information."

In IE , you are asked "Do you want to turn on automatic website checking 
to prevent fraudulent sites"  (sounds like a pretty good thing right?) 
... but no details are specified as to what that implies. 

Now I'm not 100% certain, cause I do not remember the exact dialogs when 
IE7 first installed ... but going under Options->advanced to turn on or 
off...that is the only descriptive dialog I see.

Keeping track of every website you visit , I think has huge security 
impliciations ... and even if you trust microsoft, this must be very 
explicitly pointed out to users.

Chris Weber wrote:
> You can always disable it, I think the first time it activates it tells you
> what it's gonna do.  Firefox has something similar in the works don't they?
> And Google toolbar does too.  Checking/sending internal IP addresses though,
> that's just bad... likely a design bug.  Maybe they felt the need to send
> all because of the complexity of dotless IP notations, although that should
> be catchable down in the WININET pipeline...
>
>
>
>
>
> -----Original Message-----
> From: bugtraq at cgisecurity.net [mailto:bugtraq at cgisecurity.net] 
> Sent: Tuesday, December 19, 2006 12:02 PM
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] IE7 Phishing Filter Tells Microsoft The URLS You
> Visit?
>
> According to SPI Labs IE7 sends personal information on urls that you
> request to Microsoft.
>
> Link: http://portal.spidynamics.com/blogs/spilabs/
>
> - Robert
> http://www.cgisecurity.com/ Web Application Security news and more
> http://www.cgisecurity.com/index.rss [RSS Feed]
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List: 
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List: 
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>   


-- 
Shane Forsythe
System Administrator
Florida Center For Environmental Studies
Florida Atlantic University
3932 RCA Blvd., Suite 3210
Palm Beach Gardens, FL 33410
Tel 561 799 8558
Email: shane at ces.fau.edu
Website: www.ces.fau.edu


----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list