Feeds

Fresh privacy fears over IE 8 Suggested Sites

Promiscuous URL sharing not a great idea, warns top Cambridge researcher

SANS - Survey on application security programs

A top security researcher has called for Microsoft to rethink aspects of its Suggested Sites feature in IE8. The optional feature in the next version of Microsoft's browser allows users to "discover websites you might like based on sites you've visited", as Microsoft explains it.

When the feature is activated, the addresses of sites visited are sent to Microsoft, alongside informations such as IP address, browser type, regional and language settings, in an encrypted form. Microsoft draft IE8 privacy policy explains that "information associated with the web address, such as search terms or data you entered in forms might be included".

Microsoft was able to allay concerns that data from secure sites might be sampled or that the feature might be used to serve up targeted advertising in response to our earlier queries on the technology, prompted in response to posts by privacy activists on the No Deep Packet Inspection campaign website. However, concerns about the privacy implications of the technology remain.

Cambridge University security researcher Richard Clayton, who carried out an analysis of Phorm for the Foundation for Information Policy Research (FIPR), said full URL sharing via Suggested Sites poses a privacy and security risk. In particular he warns Microsoft should avoid sharing data submitted by surfers with other users of the service.

Microsoft should be clearer about explaining the risks as well as the benefits of the service, he adds.

In order for Microsoft to suggest other websites that you might like to look at, they need to know where you've been visiting lately. If you're embarrassed about saying where that is, then you leave the new feature turned off and no harm is done.

However, if you turn it on, then it appears that you hand over the entire URL of where you've visited. On some sites that's essential: if you've been on blogger.com, then knowing which of the eight million blogs you visited will matter. However, on other sites, that full URL may hold clues to your identity, give permissions to others to access the site, or compromise your privacy or security in some other manner.

The risk that someone at Microsoft decides to use that URL for wickedness are rather small - but what if they hand off the URL to someone else with similar tastes, for them to try visiting the places that you go to. Suddenly all that "security through obscurity", the pious hope that no one could possibly guess that URL, goes up in smoke.

Microsoft could do better, by minimising the data transfer, and only obtaining longer URLs for the sites, like blogger.com, where it actually matters. In the meantime, they should spell out the risks up front, along with the benefits... or did they genuinely think that there weren't any risks?

Clayton's response, which came in response to a request by El Reg for his opinion on the privacy implications of the technology, moves on the debate about whether Suggested Sites allows users a richer surfing experience or creates more problems than it solves.

Microsoft told us that when InPrivate (aka pron surfing) mode is applied within IE8, then Suggested Sites is temporarily turned off. "Data about secure HTTPS sites visited, intranet sites or local files on the PC" is excluded at all times, it added.

Microsoft went on to say that IE8 does "not send back any elements of data in the body of a rendered page" a statement that sits oddly alongside an explanation in the draft privacy policy) from IE 8 that "information associated with the web address, such as search terms or data you entered in forms might be included" in data submitted when Suggested Sites is turned on. We're still waiting for a clarification from Microsoft on this point. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.