Fresh privacy fears over IE 8 Suggested Sites A top security researcher has called for Microsoft to rethink aspects of its Suggested Sites feature in IE8. The optional feature in the next version of Microsoft's browser allows users to "discover websites you might like based on sites you've visited", as Microsoft explains it. When the feature is activated, the addresses of …
If you go to a URL that has a login and you fill this in and bang on the button then, if the site concerned then passes you to say: blah.blah.com/insideinfo&userid=jbloggs, then MS get the whole thing including the "jbloggs" bit you filled in on page one.
What's not to understand? The key bit here is "information associated with the web address" and the fact that they then go on to state that they don't take anything from the rendered page doesn't conflict with this at all.
e.g. For a real world example, typing a load of cobblers into Google produces a URL of: http://www.google.co.uk/search?hl=en&q=a+load+of+cobblers&meta=
Why is this possible useful, surely it sets alarm bells ringing in everyone's head the moment that they see this new 'feature'??
Personally, the only thing that I can see that this would be even slightly useful for is finding out if there is anything in the known universe that is better than thehun for late night shuffling material...
Drivel from a 2nd Rate University researcher......
Nobody should rely solely on "security by obscurity" or any information submitted as part of a URL (including session id values) as a means of securing any kind of non-public data.
Don't go mouthing off about Microsoft being the problem when the people that cause the real problems are the morons who design inherently insecure websites that any kid with half a brain could hack.
is a prat fall .
If you don't want to gift Microsoft a complete list of everything you have browsed, simply leave it off. Or upgrade to a proper web browser instead.
If you change your mind about suggested sites, well thats hard luck... Microsoft will still retain data (according to the IE8 privacy policy) and there's nothing you will ever be able to do about it.
If people want to let MS know where they surf that's their business, but MS is going to have to be very careful how they share those URLs with the public (which is, after all the point of the feature). The safest thing would be to share only the domain name, but as Richard points out that might not be enough if the site is something like Blogger that include a million different sub-sites. But sharing the whole URL would risk giving away user IDs or even (on an exceptionally poorly made site) passwords. But it seems to me theres a middle ground.
And come to think of it, it has alot to do with "search terms or data you entered in forms", AKA query strings. Basically URLs have three levels of detail. "example.com", "example.com/example.php" and "example.com/example.php?foo=example&bar=sample". The middle one should almost always be safe to share, and still provide enough detail to work with most sites. But the last one could definitely be a privacy risk. Ideally IE8 wouldn't even send that part back to MS, only the part to the left of the "?".
Just another way that they can use to game the MIcrosoft universe.
Sure MS will check all those submitted sites you just "visited" for loading your system with malware? We know how good the automated systems from Microsoft are on checking for malware. Call me cynical, but here we have another GREAT new feature that will help PCs getting infected...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
