Sorry your browser is not supported!

You are using an outdated browser that does not support modern web technologies, in order to use this site please update to a new browser.

Browsers supported include Chrome, FireFox, Safari, Opera, Internet Explorer 10+ or Microsoft Edge.

Geek Culture / Windows 8 Tells Microsoft About Everything You Install, Not Very Securely

Author
Message
Aaron Miller
19
Years of Service
User Offline
Joined: 25th Feb 2006
Playing: osu!
Posted: 24th Aug 2012 09:12 Edited at: 24th Aug 2012 10:45
Link
Windows 8 Tells Microsoft About Everything You Install, Not Very Securely
Quote: "SmartScreen appeared to connect over HTTPS to a server in Redmond (apprep.smartscreen.microsoft.com, 65.55.184.60, run by Microsoft) in order to communicate information about the application I was trying to install.

After running some tests on this Microsoft server, I discovered that it ran Microsoft IIS 7.5 to handle its HTTPS connections. The Microsoft server is configured to support SSLv2 which is known to be insecure and susceptible to interception. The SSL Certificate Authority chain goes down from “GTE CyberTrust Global Root” to “Microsoft Secure Server Authority.” The Certificate Authority model is itself susceptible to some serious problems."


It's a short article (first link contains the full text) but I find it interesting.

What is everyone's take on this? Do you guys think they should update Windows 8 and their servers before the official consumer release, or not? Should they make it easier to disable smart screen?

Personally I think they should handle this issue immediately, and also make it easier to disable smart screen (without persistent warnings). I haven't used the Windows 8 Consumer Preview (or RTM) though, because it (the Consumer Preview) refuses to install for me.

Edit
Quote: "Update: According to Microsoft, SmartScreen sends a hash of the app installer and its digital signature, if any. A combination of the hash and the user’s IP address is still enough to identify that IP address x attempted to install software y."

In regard to the update, IP addresses are easy to get lost (just grab a new IP...) so it's probably not much of a concern.

Check out my website! - Blog
Twitter
Back to top
Profile PM Email Website
Dark Java Dude 64
Community Leader
14
Years of Service
User Offline
Joined: 21st Sep 2010
Location: Neither here nor there nor anywhere
Posted: 24th Aug 2012 10:00
Link
Hmm... Ouch. I foresee many legal issues arising with MS in the near future. Especially with that whole not warning users thing...

Your signature is being eras
Back to top
Profile PM Website
MrValentine
AGK Backer
14
Years of Service
User Offline
Joined: 5th Dec 2010
Playing: FFVII
Posted: 24th Aug 2012 10:22 Edited at: 24th Aug 2012 10:24
Link
it is still in BETA phase... and that data is not exactly Scotland Yard - MI5, CIA - FBI material...

I suspect they will change that upon release, if not... oh well...

But it could also be a misconception in the research... perhaps the data returned is incorrect... as I can not see how you can trace that data back... aside from using CMD and usint some network commands to see active connections list... even then getting the exact connection route could be incorrect... I mean protocol wise... I could be wrong, or that guy [not read it] could be an anti MS person so ranting on rather than helping out...

its funny how people who support Linux rant on about how good or [in]Secure it is... but when it comes to Windows, they would rather stab it in the back than helping out... pathetic...

but yeah its a small detail for now, but Again it is not even released so looking at this is silly... if they fix it upon release then fine, if not its not a major aspect... and it is still secure until someone tries to hack it, and then again ANYTHING IS HACKABLE... even people

Back to top
Profile PM
Neuro Fuzzy
17
Years of Service
User Offline
Joined: 11th Jun 2007
Location:
Posted: 24th Aug 2012 10:29
Link
Quote: "they would rather stab it in the back than helping out... pathetic..."

OH! Yeah you're right. I'll just git the smartscreen source code and see if I can get a stable implementation with a more secure protocol up and ru-
oh wait.

(kidding of course, I've never even done that on linux)

Back to top
Profile PM Email
MrValentine
AGK Backer
14
Years of Service
User Offline
Joined: 5th Dec 2010
Playing: FFVII
Posted: 24th Aug 2012 10:37 Edited at: 24th Aug 2012 10:37
Link
Neuro, just the guy I wanted to see!!! got something not sure I managed to show you it before...



Hope this links and also I really thought you needed to see that... I have had it for ages just not had the chance to show you it properly I think...

But yeah I meant at least point it out and be constructive about it rather than bashing constantly... its not good for both sides...

Back to top
Profile PM
Aaron Miller
19
Years of Service
User Offline
Joined: 25th Feb 2006
Playing: osu!
Posted: 24th Aug 2012 10:42
Link
Quote: "it is still in BETA phase..."

Quote: "I’ve recently been using the final, Released to Manufacturing version of Windows 8"



Quote: "that guy [not read it] could be an anti MS person so ranting on rather than helping out..."

In the article he points out that he actually likes Windows 8.

Quote: "its funny how people who support Linux rant on about how good or [in]Secure it is... but when it comes to Windows, they would rather stab it in the back than helping out... pathetic..."



----

An update was recently made to the article, apparently.
Quote: "Update: According to Microsoft, SmartScreen sends a hash of the app installer and its digital signature, if any. A combination of the hash and the user’s IP address is still enough to identify that IP address x attempted to install software y."


Check out my website! - Blog
Twitter
Back to top
Profile PM Email Website
MrValentine
AGK Backer
14
Years of Service
User Offline
Joined: 5th Dec 2010
Playing: FFVII
Posted: 24th Aug 2012 10:45
Link
Quote: "An update was recently made to the article, apparently.

Quote: "Update: According to Microsoft, SmartScreen sends a hash of the app installer and its digital signature, if any. A combination of the hash and the user’s IP address is still enough to identify that IP address x attempted to install software y.""


So? this means? good or bad?

Good to know that he lies it then, I just dont like jumping onto likely add filled blog sites... they are so insecure...

Back to top
Profile PM
Aaron Miller
19
Years of Service
User Offline
Joined: 25th Feb 2006
Playing: osu!
Posted: 24th Aug 2012 10:47
Link
I don't see any ads on the site.

Check out my website! - Blog
Twitter
Back to top
Profile PM Email Website
MrValentine
AGK Backer
14
Years of Service
User Offline
Joined: 5th Dec 2010
Playing: FFVII
Posted: 24th Aug 2012 10:51
Link
thanks, checking now

Back to top
Profile PM
Back to top

Login to post a reply

Server time is: 2025-05-18 23:48:46
Your offset time is: 2025-05-18 23:48:46