[WEB SECURITY] IE7 Phishing Filter Tells Microsoft The URLS You Visit?

[Jason Muskat, GCFA, GCUX, de VE3TSJ]

Hello,

Yes. There are two types of Anti-Phishing "filters":

1) Download the list and compare locally -- May URL-like filters work this
way
2) Check each URL remotely

The general direction for this and URL-like filtering is the latter; kinda
like DNS RBLs.

Before the feature is enabled one should read the license and privacy
policy; then realize that this information is being sent over the Internet
in the clear. 

As of yet I have not seen a "Do not check the following domains and IP
address ranges" setting. It is not uncommon to see "encoded" passwords and
such sent off to the provider.


Regards,

-- 
Jason Muskat  | GCFA, GCUX - de VE3TSJ
____________________________
TechDude
e. Jason at TechDude.Ca
m. 416 .414 .9934

http://TechDude.Ca/


> From: <bugtraq at cgisecurity.net>
> Date: Tue, 19 Dec 2006 15:01:49 -0500 (EST)
> To: <websecurity at webappsec.org>
> Subject: [WEB SECURITY] IE7 Phishing Filter Tells Microsoft The URLS You
> Visit?
> 
> According to SPI Labs IE7 sends personal information on urls that you request
> to Microsoft.
> 
> Link: http://portal.spidynamics.com/blogs/spilabs/
> 
> - Robert
> http://www.cgisecurity.com/ Web Application Security news and more
> http://www.cgisecurity.com/index.rss [RSS Feed]
> 
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 



----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]