One of the more hush-hush changes to Windows Live Messenger Wave 4 is the tie in of Internet Explorer’s SmartScreen Filter technology. Basically, links you receive will be transformed in such a way that upon clicking them you’ll be pushed through a redirector controlled by Microsoft before reaching your end result… if Microsoft deems it safe. To be a little more specific, you’re sent to the ominous appearing http://rdir.us with some undocumented parameters tacked onto the end. A full URL may appear as such:
http://rdir.us/?l=http%3a%2f%2fyoutube.com&h=unknown_base64ed_value&p=number&u=sixteen_hex_digits
If it’s safe to proceed, this redirect shuffle takes only a second or two to complete. If things look a little bit fishy, Microsoft will throw up an interstitial page similar to Google and Facebook (below). I’m not sure what this page looks like when things are real bad, but I’m sure it involves varying shades of red and the acronym GTFO.
Figure: Windows Live making sure I don’t give my password to the Chinese.
While I can appreciate Windows Live’s efforts to reduce malware proliferation and increase overall safety of its users online, the following issues come to mind:
-
My links are cataloged by some black box in the cloud, ready for hacker attack or spillage. (Think AT&T iPad fiasco.)
-
Rather than use http://link.smartscreen.live.com as a basis for my link, http://rdir.us was used. Which looks safer to you?
-
The warning page treats me like a dummy.
-
The privacy policy didn’t appear until I landed on the interstitial page. What are the odds of people ever seeing this page? How about the odds of finding anything related to SmartScreen in that policy? (It was last updated May 2008.)
-
I can’t turn the damn thing off.
What do you think? Would you leave this on or turn it off (if you had the chance)?
Turn it off, no doubt.
I click links at my own discretion.
And I have NEVER been linked to a phishing site.
Just shock sites, which I doubt this offers protection from.
Ok, my first comment got blown up, this is my second try.
http://www.reddit.com/r/programming/comments/bpy7h/think_youre_immune_to_phishing_attacks_see_if_you/
The original website is not up anymore but I think the comments there serve as a pretty good anecdotal evidence that even tech-savvy people are susceptible to these kind of phishing attacks. I know, I know, you are always supposed to check against the domain name and everything but I think that kind of dialogue is still an excellent way to discourage at least some phishing attacks.
It’s a different story whether the users “get used to” these dialogs.
Is this only in Messenger, or in Mail as well?
There should definitely be an option to turn it off. I wouldn’t use it knowing some of my (innocent) messages will already not send through Messenger because they contain a blacklisted term. There are just too many false positives.
What is the point anyway? Any modern browser already has some kind of malware filter which will warn you if the url you’re requesting is known to be a bad site. You don’t have to redirect people to make that work. It seems Microsoft’s real motive for doing this is gathering more data on which links are sent through Messenger, probably so the can analyze the most sent links for malware before anyone even reports them as malware. If that is the case and they are not making it optional, why are they not just catching links on the Messenger server? AFAIK every conversation goes through Messenger’s servers, logging all links directly from there should be possible. Then they can analyze links/domains which show suspicious activity and ass the results to their SmartScreen service. And the can advice people to use IE and SmartScreen to be optimally protected, which we’ll happily ignore.
Fine to have it on by default.
The domain name is dumb, as you say.
It really, really, really should be possible to turn it off.
For less technical people I’m sure it will help. For people like us it provides zero value and just wastes our time and gets in our way (like most other security features in Messenger) or, at best, does nothing at all.
Wow, awesome feature. One more reason for not using Wave 4 :-/
I agree the rdir.us domain is stupid and suspect looking, but then we’re technically inclined users that have half a clue or better. Most users don’t. In fact, I have over 100 users that would click any given link just because it said “checks out these awesome vaca pics!!!!1″ I don’t mind the extra bit of caution.
Turn it off, absolutely.
RE: http://link.smartscreen.live.com vs. http://rdir.us
While not a confidence inspirer, this is likely purely technical. With a limit to URL length, the first URL is more likely to see your original URL (if suitably long) be truncated and not function correctly.
This is LESS secure than prior behavior. Users judge the legitimacy of a link before clicking it by reading the hostname and possibly the filename and extension. Transforming/encoding the url makes this really hard to do. In this case a user is more likely to click all links and then click “OK” on whatever warning pages come up (without reading them.)
Should be like always, not easy option to turn it off, so dummy people don`t get infected but a hard manual way to turn it off for advanced users.
does the originial url show as rdir.us? say if i post a link to http://www.google.com – then does the recipient not see http://www.google.com. that would be a problem. how do iget the new messenger – when can i download it from?
Ralph: The link shown in the client (at the receiving end) will definitely read http://www.google.com. It isn’t until you click it that the redirection magic happens. At first, I thought I was infected with malware!
they do the rewrite on http://profile.live.com as well
This is shatty. I hate when websites do it. What if they applied this to desktop shortcuts that lead to the internet.
This is an important tool to protect against malware, which can easily be sent through Windows Messenger. But I agree that people should be able to control whether or not they want these warning messages on—they’re helpful but not for people who discover that their messages can’t be sent because of this tool. Do you know if this filter is available on the new Windows Messenger iphone app?
I believe Charter Cable web e-mail has been doing something like this for a couple of years. When you click on a link from an e-mail you are viewing in their webmail service, you briefly see a message that says something like “You are leaving Charter.net” before you see the new site. Also, in my e-mails, if you hover over the external link, it has some Charter gobbledegook prepended to the expected URL. Charter doesn’t let you turn off the “feature”. Every once in awhile, their monkeying made the link nonfunctional. That was one of the big reasons I ceased using Charter e-mail, even though they are my ISP. I’m not going to put up with a third-party intruding into the content of the e-mail I receive, if I can help it.
I don’t mind spam filtering, so long as e-mail is simply redirected into a Spam folder that I can review & delete at will.
I’d have it on, but modify it so that it checks for
A.) Phishing sites
B.) URL-Shortened sites
Nothing I hate more on Messenger than people using URL Shorteners, link dumping, and not telling me what it is. If the SmartScreen was able to tell me what’s beyond the link, sees past the shortened URL to where it’s really going, then yeah, I wouldn’t mind having it. But I’d rather have it configurable so that it doesn’t screen trusted URLs of sites I visit on a regular basis.
I completely agree… You should be able to turn it off, but of course, you cannot. I understand that there are people who just aren’t that savvy when it comes to seeing whether or not something is a complete and utter scam.
What would be an easy fix that would require them to update only the website itself, and not the software, is to have the option to completely “Not show this warning message” (if it were chosen, the site would redirect you there without prompting the message) or at the very least “Do not show this warning message for this domain again.”
I like it because no matter what browser you are using, you will get SmartScreen information, it the site you are about to go to is malicious or whatever, as SmartScreen works well, actually. I don’t get why there is no off option anyways, as you can turn off SmartScreen in Internet Explorer.