Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

The Phishing Filter – addressing privacy concerns

May 9th 2006 in Uncategorized

It has, at times, been a real uphill battle trying to convince the ‘man on the street’ to take advantage of the Phishing Filter that is an integral part of Internet Explorer 7, and available as an add-in for the MSN Toolbar.

Let’s have a look at how the Phishing Filter works and see if we can relieve some concern.

After Internet Explorer 7 is installed the phishing filter will sit quietly in the background monitoring sites that are visited *WITHOUT TRANSMITTING INFORMATION TO THE URL REPUTATION WEB SERVER* until the client side application, using heuristic checks, detects that the user may be visiting a site that is a phishing site.  Again, no data is transmitted to MS during this initial phase.

The first time that a user visits a potentially dangerous site, the Phishing Filter client will display a dialogue box prompting the user to make a decision about whether they wish to use the Phishing Filter.

If a user decides to use the phishing filter *then* data may be transmitted to the URL Reputation Web Server hosted by Microsoft.

When will the Phishing Filter contact the URL Reputation Server?

Assuming the user has enabled the Phishing Filter…

1) Each user’s local machine has a ‘white list’ of known safe URLs (stored in a dat file) and, as time goes on, a local cache record of already checked URLs.  If the site being visited is recorded in that DAT file, or the cache record, the Phishing Filter engine will not contact the URL Reputation Web Server.

2) The content of a Web page is heuristically analysed by the Phishing Filter client.  If that analysis determines that the site is suspicious, and the site is not recorded in the DAT file or cache record, then the Phishing Filter client will contact the URL Reputation Web Server to check the bona fides of the site being visited.

Privacy fears

A primary fear expressed by some users is that they are concerned for their privacy – for example, they may not want Microsoft to know that they are conducting a web search for sexy blonde surfer boys ;o)

It is important to note that the Phishing Filter strips user specific data from URLs before they are transmitted.  The only portion of a URL that is transmitted is the domain name and path.

For example, if you conduct an MSN search for “secretsquirrel” the URL would be: http://search.msn.com/results.aspx?q=secretsquirrel&FORM=QBHP

The Phishing Filter will only transmit “http://search.msn.com/results.aspx”  Note how the user’s search terms have been removed.

Ok, so now we can see that MS does not know what we are searching for; they only know that we have conducted a search.  Also, remember that if the site in question passes the heuristics test, or the site is in the client side cache or DAT file, the phishing filter won’t contact the URL Reputation Web Server anyway.

Can we trust MS to be telling us the truth?

Ah, here we get to the nitty gritty.  I can understand why some people would be disinclined to believe Microsoft when they say that information such as search terms are stripped from URLs before transmission to the URL Reputation Web Server. 

Microsoft have commissioned Jefferson Wells to conduct an independent analysis of the Phishing Filter in IE7 and the MSN Toolbar and then issue a Privacy Audit Report.  This report is available at http://www.jeffersonwells.com/client_audit_reports/main.htm.

To summarise, the key findings of the Privacy Audit Report are:

1.  The Phishing Filter client does not transmit any personally identifiable information without explicit user consent.

2.  URL information transmitted for rating by the Phishing Filter client cannot be traced back to the user’s personal information.

3.  HTTP and HTTPS URLs transmitted for rating by the Phishing Filter client are limited to the domain and path only. All other information in the URL is stripped.

4.  The Phishing Filter client only transmits URLs in the following scenarios.

a)  When the user wants to manually provide feedback on a URL.

b)  When the URL is not found in the end Phishing Filter local data files.

c)  When the Phishing Filter client heuristics determine a site as suspicious.

4.  Transmission of any and all URL information by the Phishing Filter client is over SSL on the Internet.

I recommend that you also read the Internet Explorer 7 Privacy Policy which specifically addresses the Phishing Filter as well as other facets of Internet Explorer 7:

The Ruthsarian Blog raised an interesting concern about how the Phishing Filter assesses where the domain and path end and, for example, search terms or personally identifying information begins:

I don’t have sufficient information to be able to address the guy’s concerns; hopefully somebody from the IE team will be able to comment.

One comment to...
“The Phishing Filter – addressing privacy concerns”

Alun Jones

The one obvious remaining piece of information transmitted to Microsoft is the IP source address of the packet – this doesn’t actually identify a user uniquely, but it does identify what ISP they are using.

Non Australian’s likely won’t know of Richard Carlton (or the Beaconsfield mine disaster either) so please forgive the “what the” aura of this post:http://www.news.com.au/story/0,10117,19054809-29157,00.html
Beaconsfield Mine Disasterhttp://www.news.com.au/story/0,10117,19054570-2,00.html

Previous Entry

Symantec are patting themselves on the back again.  Their latest “Symantec Enterprise Security News Clip” has proudly announced that “Industry Leaders Back Symantec Phish Report Network”(cite: http://www.symantec.com/about/news/release/article.jsp?prid=20060501_01)
So, let’s have a look at Symantec’s new service at http://www.phishreport.net/.  A nice, professional looking site – very pretty. 
“Senders” can submit URLs for free only after agreeing to […]

Next Entry