Suggested Sites & Privacy

re: Suggested Sites & Privacy

Mitch 74 — Sat, 07 Feb 2009 13:48:58 GMT

@Warren: yes, I know about how TCP/IP works (packet's origin IP address is inside TCP/IP packets headers). I also understand that even by using raw ports access and inserting bogus IP addresses wouldn't work, because anybody connecting to the intarweb through a router would have that replaced with their router's IP address anyway. That part must, indeed, be stripped server-side.

The cookie policy is another matter, as "Suggested sites" by its function implies that IE would browse browsing history to see what suggestions would work best. What, then, is the server removing in the "cookies" part of the data transfer? "Suggested Sites"'s? Or cookies associated with the transmitted URL? If it's the former, ok. If it's the latter, not OK!

@Bruce: HTTPS is an encrypted version of HTTP, using a different TCP/IP port. Encryption is determined through another protocol, currently SSLv3, using (quite often) RSA and AES - which are not cracked. However, many SSLv3 certificates are signed using MD5 hashes, and THAT has been cracked: http://blog.wired.com/27bstroke6/2008/12/berlin.html

Note that in papers dating back to 2004, MD5 was already known to be not very secure, and put SHA-1 not much higher (it is better and still uncracked, though).

In short: stripping IP addresses can in practice only be done server-side, ok (it shouldn't be repeated inside sent data, if it was ever part of it); stripping cookies shouldn't be necessary, because aside from "Suggested Sites"'s own, no cookies should be accessible (same origin policy, but there still are cookies that cite '*' as their origin). If it's already the case, OK (but the message isn't clear on that).

SSLv3 protocol, when using MD5 signatures for its security certificates signatures (and there are still many out there, thus browsers won't yet cut them off), isn't fool-proof. Couple that with a DNS corruption (like we got all summer/fall 2008), then suddenly "suggested sites" becomes quite dangerous.

re: Suggested Sites & Privacy

ashishag — Fri, 06 Feb 2009 21:58:16 GMT

please have Ctrl+L have the cursor move to the address bar rather than opening a new box. Just like firefox. Its frustrating to have Ctrl+L opening a new box, when Ctrl+O already does the same.

re: Suggested Sites & Privacy

jane kim [MSFT] — Fri, 06 Feb 2009 20:01:29 GMT

Great comments - thanks for reading!

@Tino – The suggestions are purely based on relevance and not advertisements or sponsored links.

@Joseph – By default, the feature is off, and you can also control it through the Tools > Suggested Sites menu item.

Suggested Sites suggests Malware!

KS — Fri, 06 Feb 2009 19:28:59 GMT

Suggested Sites has already "suggested" sites that try to install MALWARE on the unsuspecting visitor. You need to disallow this!

re: Suggested Sites & Privacy

Bruce — Fri, 06 Feb 2009 18:12:39 GMT

<<<HTTPS isn't fool-proof anymore, SSLv3 having been cracked through brute force>>>

Absurd. Quote your sources. (Hint-- SSLv3 isn't even a cipher.)

<<<still a risk the Suggested Sites security certificate gets cracked, and all data intercepted gathered by the cracker would be an open book.>>>

It's pretty clear that you don't understand how HTTPS actually works. Further, you're overlooking the fact that if there's an active attacker on the line who can mess with your SSL, s/he could just as easily see the raw HTTP traffic you're sending when you actually visit the sites whose URLs are submitted over the encrypted channel.

<<<Is there a way we can opt-out of suggested sites>>>

Don't opt in to the feature to start with??

re: Suggested Sites & Privacy

Warren — Fri, 06 Feb 2009 17:24:10 GMT

Mitch 74:

It's an artifact of the TCP/IP protocol -- you can't /not/ send your IP address. Microsoft's servers necessarily /must/ know your IP address in order to establish a TCP connection so that it can transmit the results back to you. What Microsoft is saying here is that they discard this information once the session is completed, i.e. they aren't writing it to logs or a database somewhere for future use.

Cookie information is also going to be limited to the cookies that Microsoft's own web site sends you as part of a session. That is how cookies have always work -- they're limited to the specific domain they originated from. There's absolutely no way that Microsoft would include other web sites' cookies in a request to their own web site.

re: Suggested Sites & Privacy

Mitch 74 — Fri, 06 Feb 2009 12:25:44 GMT

Speaking for the very security conscious (and a strange oversight): if IP and cookie data is stripped by the server, why send it? Wouldn't it be simpler to strip it in IE directly, and send the truncated version instead? If, for any reasons, Microsoft decide to unilaterally change their privacy agreement and make use of these IP+cookie informations, what control over that do users have? By the time someone finds out, that'll be millions of users spied on and billions of URLs gathered - a treasure trove if there isn't any.

Moreover, HTTPS isn't fool-proof anymore, SSLv3 having been cracked through brute force; so there is still a risk the Suggested Sites security certificate gets cracked, and all data intercepted gathered by the cracker would be an open book. While the IP address is irrelevant (it would still be inside the packet's header), all cookie data would be exposed.

At least add a setting to IE (and make it default) to strip IP and cookie data before having it sent to MS servers.

After all, if you're not gonna use it anyway, save yourself the bandwidth and server CPU time.

re: Suggested Sites & Privacy

Zwembad Limburg — Fri, 06 Feb 2009 10:14:11 GMT

That's a real nice function. However I dont need my ip hided.

re: Suggested Sites & Privacy

Joseph McFarland — Fri, 06 Feb 2009 06:20:20 GMT

It looks like you did a great job on this.

Is there a way we can opt-out of suggested sites (other than deleting history)? We have some internal testing sites that we would rather not have outsiders visiting (yet they need to be publically accessible for some reason). Perhaps paranoia about this new feature will convince people to actually protect them.

Tino: User-submitted data should come into play. I would still be fine with the feature if it was 100% pay-to-play, but it doesn't seem that way), as long as they kept out the ad trolls. It's already been useful at least once.

(note: ad trolls being people who attempt to get search engines to index and highly rank their garbage trying to buy their way into polluting the suggested sites database)

re: Suggested Sites & Privacy

Tino Zijdel — Fri, 06 Feb 2009 05:41:28 GMT

All nice and dandy, but aren't 'suggested sites' in practice sites that are paying for being 'suggested'? In that case I'm not interested in this feature at all since it is just a marketing scheme, so basically nobody should be interested...