IE 7 Phishing Filter

Just an update to a previous post. Sam Spade commented that IE 7’s phishing filter doesn’t sent the full content of the URL, as outlined in this article over at Microsoft.

An important thing to note about the Phishing Filter check is that the information sent to Microsoft is limited to just the web address of the web site. Information associated with the web site address that could contain personal or sensitive information such as search terms you may have entered is removed before the address information is sent to Microsoft.

Another important point to remember is that the URL is transmitted using SSL (Secure Socket Layer) encryption. This is the same encryption used by banks, financial institutions and other organizations to protect their users’ data.

I wanted to test this myself so I setup a packet capturing application and submitted this blog using a URL that contained extra bits of potentially important, private information at the end of the URL.

But as is stated in the quote above, the entire transaction takes place over SSL. So all I could see was my machine talking with 64.54.225.125 which is one of many IPs owned by Microsoft.

If I could decipher the transaction I suspect that what I would see is a url like:

http://username:pass@weblog.bridgew.edu/ruthsarian/index.html?secret=password&ssn=personal

is submitted to Microsoft as:

http://weblog.bridgew.edu/ruthsarian/index.html

but I can’t be certain. Is this a problem? In most cases, probably not. What might worry me is that if the full URL (sans CGI query string and username/password) might still contain information. For example, how does Microsoft know where the URL ends and the query string begins? Usually you can go by the question mark (?) if there is one. But there’s also the ability to use forward slashes to separate URL and query string. So something like:

http://weblog.bridgew.edu/ruthsarian/post/username/password/id/ might be itnerpreted as a full URL and not a URL up to the “ruthsarian” part where everything after that is the query string.

And it wouldn’t be an intentional bug on MS’s part, it’s just that some web applications intentionally try to obfuscate the query string from the path to the requested page. But it’s over SSL, so only you and Microsoft would know what got through, if anything.

Still, I’ll be keeping my phishing filter off.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s