Tuesday, May 09, 2006 6:26 AM
sandi
The Phishing Filter - addressing privacy concerns
It has, at times, been a real uphill battle trying to convince the 'man on the street' to take advantage of the Phishing Filter that is an integral part of Internet Explorer 7, and available as an add-in for the MSN Toolbar.
Let's have a look at how the Phishing Filter works and see if we can relieve some concern.
After Internet Explorer 7 is installed the phishing filter will sit quietly in the background monitoring sites that are visited *WITHOUT TRANSMITTING INFORMATION TO THE URL REPUTATION WEB SERVER* until the client side application, using heuristic checks, detects that the user may be visiting a site that is a phishing site. Again, no data is transmitted to MS during this initial phase.
The first time that a user visits a potentially dangerous site, the Phishing Filter client will display a dialogue box prompting the user to make a decision about whether they wish to use the Phishing Filter.
If a user decides to use the phishing filter *then* data may be transmitted to the URL Reputation Web Server hosted by Microsoft.
When will the Phishing Filter contact the URL Reputation Server?
Assuming the user has enabled the Phishing Filter...
1) Each user's local machine has a 'white list' of known safe URLs (stored in a dat file) and, as time goes on, a local cache record of already checked URLs. If the site being visited is recorded in that DAT file, or the cache record, the Phishing Filter engine will not contact the URL Reputation Web Server.
2) The content of a Web page is heuristically analysed by the Phishing Filter client. If that analysis determines that the site is suspicious, and the site is not recorded in the DAT file or cache record, then the Phishing Filter client will contact the URL Reputation Web Server to check the bona fides of the site being visited.
Privacy fears
A primary fear expressed by some users is that they are concerned for their privacy - for example, they may not want Microsoft to know that they are conducting a web search for sexy blonde surfer boys ;o)
It is important to note that the Phishing Filter strips user specific data from URLs before they are transmitted. The only portion of a URL that is transmitted is the domain name and path.
For example, if you conduct an MSN search for "secretsquirrel" the URL would be: http://search.msn.com/results.aspx?q=secretsquirrel&FORM=QBHP
The Phishing Filter will only transmit "http://search.msn.com/results.aspx" Note how the user's search terms have been removed.
Ok, so now we can see that MS does not know what we are searching for; they only know that we have conducted a search. Also, remember that if the site in question passes the heuristics test, or the site is in the client side cache or DAT file, the phishing filter won't contact the URL Reputation Web Server anyway.
Can we trust MS to be telling us the truth?
Ah, here we get to the nitty gritty. I can understand why some people would be disinclined to believe Microsoft when they say that information such as search terms are stripped from URLs before transmission to the URL Reputation Web Server.
Microsoft have commissioned Jefferson Wells to conduct an independent analysis of the Phishing Filter in IE7 and the MSN Toolbar and then issue a Privacy Audit Report. This report is available at http://www.jeffersonwells.com/client_audit_reports/main.htm.
To summarise, the key findings of the Privacy Audit Report are:
1. The Phishing Filter client does not transmit any personally identifiable information without explicit user consent.
2. URL information transmitted for rating by the Phishing Filter client cannot be traced back to the user’s personal information.
3. HTTP and HTTPS URLs transmitted for rating by the Phishing Filter client are limited to the domain and path only. All other information in the URL is stripped.
4. The Phishing Filter client only transmits URLs in the following scenarios.
a) When the user wants to manually provide feedback on a URL.
b) When the URL is not found in the end Phishing Filter local data files.
c) When the Phishing Filter client heuristics determine a site as suspicious.
4. Transmission of any and all URL information by the Phishing Filter client is over SSL on the Internet.
I recommend that you also read the Internet Explorer 7 Privacy Policy which specifically addresses the Phishing Filter as well as other facets of Internet Explorer 7:
http://www.microsoft.com/windowsvista/privacy/ieprivacy_pr7.mspx
The Ruthsarian Blog raised an interesting concern about how the Phishing Filter assesses where the domain and path end and, for example, search terms or personally identifying information begins:
http://weblog.bridgew.edu/ruthsarian/archives/000295.html
I don't have sufficient information to be able to address the guy's concerns; hopefully somebody from the IE team will be able to comment.
Filed under: Internet Explorer 7, Vulnerabilities, viruses and exploits