Microsoft sees all your HTTPS links in Skype, and you didn't know

While the Internet gets a reputation for being an anonymous playground, nothing is completely anonymous. Microsoft seems to be proving that point today, with the discovery they're accessing any secured links sent via Skype. Any HTTPS URL transmitted via Skype is picked up by the software giant, and then visited by an IP address from Redmond.

This was first picked up by an anonymous tipster, who informed Heise Security since it bore similarity to a replay attack. Somewhat ironically, Microsoft themselves explain what a replay attack is. In a nutshell, it's repeated legitimate traffic, which is then treated as such.

Heise was able to confirm the tipster's suspicions, using two test URLs to do so. They sent a URL containing login information, and one pointing to a cloud-based service. Both URLs were later revisited by a Redmond IP address, so it was no isolated incident.

You may wonder how this can be justified. It's in Skype's data protection policy, and is for 'preventing spam, fraud or phishing links'.


This bit in the policy has Microsoft covered.

You may remember the open letter which was published after Microsoft's Skype takeover. It queried how the giant would act with US government requests, and whether they would invade user privacy.

Whether you consider this revelation with secured web links an invasion or not, it'll doubtless have some effect.

Source: Heise Security

Report a problem with article
Previous Story

OneNote Web App can now edit password protected sections

Next Story

Auction for coffee with Tim Cook ends with $610,000 bid

37 Comments

Commenting is disabled on this article.

Exactly... the links are not actually visited by people, they are just automated checks to see if a person is sending spam or whatnot.

chocoboco said,
Hey, this obviously appears to be SmartScreen filtering of malicious links.. And its using a HEAD (not GET) request, so the links are in practice not visited...:
http://www.zdnet.com/is-micros...nstant-messages-7000015388/

Not targeted at you, chocoboco - just as general statement to this news:

No matter if the MS-sided check is using GET or HEAD or B***JOB ... this is, and remains, eavesdropping through an undocumented and unannounced backdoor (hence the point-to-point encryption of chat participants is undermined and hereby officially documented). The "SmartScreen" check is exactly what they called it - a replay attack, a unsolicited "return connection" from a MS operated server.

Neowin, as well as the other news outlets, did the right thing to report about it, though I find it highly funny how this is going to be downplayed - it's a major dent in Skype's security concept ("The connections between chat participants are encrypted") as well as a major dent in terms of "Customer faith into the product".

I, for one, will look into ways to abandon Skype for good (the client gets worse by each release anyway) and setup my own XMPP server.

The encryption is to the super nodes, not end-to-end. Securing the super nodes was one of the best decisions that Microsoft enforced meaning that they were (a) a lot more reliable and (b) that your unencrypted traffic only occurred on Skype's own equipment.

End-to-end encryption would be a real PITA when it comes to 20 person calls.

Excuse me but WTF are you doing making 20 person calls using Skype????
There are better solutions for this out there that won't result in big delays between users...

Neowin Title,
Neowin.net - Where unprofessional journalism is the best we can do

I reckon this should be the new Neowin Title.

This "article" is complete and utter fear mongering.... this site is really going down hill

this guy needs to get informed... OH NOES PEOPLE CAN SEE A HTTPS URL I PASS, which means nothing https://neowin.net LOOK GUYS YOU CAN SEE MY HTTPSURL!

In other news, Norton goes through all your indecent pictures looking for harmful software.

Jesus man. All it'll do is check the SSL cert is right, check that the HTML doesn't commonly match any popular websites or blocked websites.

Its not like there's some guy in Redmond sat with steamy glasses looking at everything your doing.

Maybe the problem isn't that they test the URL, but that they scan your messages. In case of Google and Gmail people here seem to care, so I would've supposed they cared about this too. I guess it depends on which company does it.

Yeah, I know what you mean.

For example, Facebook, Google, WLM all incorporate offline messaging and don't use the P2P method skype uses so all information/conversations and data is stored centrally.

I think people have just got to remember that this is code which is cycling through the messages. All it'll do is recognize a SSL link has been passed, grab that link, send it to MS, where it'll parse the page and check. It won't have any intelligence to the context or anything.

So pray tell, how else would people like MS to scan for malicious urls being sent to users of their service? Oh i know, complete guess work?

Not surprised, Ever since m$ bought Skype it's going downhill, it's well known fact after all that everything m$ touches turns to S...

0--JLowzrif said,
Not surprised, Ever since m$ bought Skype it's going downhill, it's well known fact after all that everything m$ touches turns to S...

You appear to have misstyped. The 'S' is located between the 'A' and the 'D' on a QWERTY keyboard. Hope this helps.

On another note, Everything the touch turns to... OK yup, that's exactly why they're a multi billion dollar company, because everything they touch turns to S***. Well done that man, your business acumen astounds me!

0--JLowzrif said,
Not surprised, Ever since m$ bought Skype it's going downhill, it's well known fact after all that everything m$ touches turns to S...
I don't think Skype is doing bad. But however I think Microsoft themselves is going down.

Skype<Windows Live Messenger

Switching to Skype is like taking a step back.
Facebook Chat on Skype has a lot problems.
WLM can so easily share images in the past.
I like WLM UI better as I can see more contacts at a time. Now I just see those people under my favourites. The rest I am too lazy to find.

0--JLowzrif said,
Not surprised, Ever since m$ bought Skype it's going downhill, it's well known fact after all that everything m$ touches turns to S...

Yeah, my PC is **** now, thanks to MS creating Windows and DOS. Mac4lyfe! /s

0--JLowzrif said,
Not surprised, Ever since m$ bought Skype it's going downhill, it's well known fact after all that everything m$ touches turns to S...

LOL I knew there would be at least one stupid comment like this. You obviously didn't read the article and just the title. It's for blocking spambots and ensuring people are not sending malware, etc. It's not a privacy concern at all. Geez.

I can see the concern however this is doing more good than bad. As long as Microsoft are only using it to do a spam check on the URL then I am happy.
If they were using the URL's content it to pick appropriate ads for me then I would be annoyed. I can think of at least one large company who would use such a feature!

Uh how else will they protect the majority of users against Phishing attacks and the like? Utterly Silly article and complete Hyperbole, many services and apps scan urls, From Twitter to Google Chrome, IE to Windows Live Messenger(when it existed).. and whats with the "didn't know"? I'm pretty sure many knew Skype blocked and protected against Phishing/malicious content

Neowin stop employing kids to writing articles...

Torolol said,
at least the AV doesn't pop up showing ads based on user's files it find.

You may have noticed that Skype doesn't do that either.

meh whoopdi do all they are doing is checking the link to make sure your not sending spam or happen to be a spam bot or infected seriously it aint that bad