This guy has a habit of trying to be a grandstanding security expert but being wrong a lot. In this example, he is wrong because although IIS will answer a SSLv2 connection, it will not actually process the request. Anyone who has done basic scanning for an audit is well aware of this false positive.
"I haven’t checked whether Windows SmartScreen does in fact use SSLv2, but the fact that the Microsoft servers support it is concerning."
Yeah, maybe check next time before you shout that the sky is falling.
If you are concerned about the privacy issue (MS getting requests indicating what was installed - not the bogus MITM claim), disabling this is offered in the privacy settings, and it is even put in front of your face during OS install. Also, all major AV products do the same thing, except they're not as transparent about it.
Author here. Let me ask you something: Have you checked if SSLv2 connections are actually dropped?
The point of my article isn't SSLv2, it's privacy concerns. Also, I did actually check and disabling SmartScreen doesn't seem to be offered during OS install, did I miss something?
Thanks for the disgusting ad-hominem! It totally aids your missing the point.
Edit: Whoa, I think I've figured out why this guy is being so personal; his submission history includes promoting a security company I left after a brief stint. Small world!
It's not worth getting worked up over a jerk on the internet. The comment you are replying to was indeed rude, but stick to disagreeing on the facts and leave it at that. I find that's the best way to get others to do the same.
This article would have read better without the SSL related discussion, which I think distracts from the major point.
In general, though, I think we're at the point where we can stick a fork in the trust model we've been using up to this point. 2v3/TLS 1.1/EC+DHE isn't the issue, and the more time we spend talking about those issues, the less time we spend focusing on fixing the fundamentals of internet security 3-5 years from now, which we need to actually get right this time.
re: your privacy concern - if that is the concern why did you mention the SSLv2 stuff at all? Although I really don't like smart-screen filter there are really only two ways this could work - Win8 downloads a big white/black list every night, or it checks each time an .exe is launched. I don't think it is particularly shocking that it does the latter.
Microsoft already gathers lots of information from customer experience improvement data and crash dumps and stuff like that, and goes to tremendous efforts to ensure that it is never traceable back to an individual. I don't know for sure but I'd be surprised if the same policies were not in play here also.
Maybe I'm misunderstanding, but wouldn't the real issue be whether the Windows 8 client will use SSLv2, not whether the server does? I'm imagining a third party doing a MITM attack, posing as Microsoft's SmartScreen server and saying it only does SSLv2.
> disabling this is offered in the privacy settings, and it is even put in front of your face during OS install.
What's the default behavior? I think we've all had experiences (or know of) of not-entirely-reading all things and ending up with eight new IE taskbars installed.
"Lastly, users can choose to disable SmartScreen if they want to. Granted, most users wouldn’t even know of SmartScreen, much lesss the potential privacy concerns. :)"
See here: http://billing.handsonwebhosting.com/knowledgebase.php?actio...
As he says:
"I haven’t checked whether Windows SmartScreen does in fact use SSLv2, but the fact that the Microsoft servers support it is concerning."
Yeah, maybe check next time before you shout that the sky is falling.
If you are concerned about the privacy issue (MS getting requests indicating what was installed - not the bogus MITM claim), disabling this is offered in the privacy settings, and it is even put in front of your face during OS install. Also, all major AV products do the same thing, except they're not as transparent about it.
Nothing to see here.