The Canadian security researcher Nadim Kobeissi, who is a known activist against Internet surveillance and programmer of Cryptocat, has raised concerns over privacy in Windows 8’s defensive feature SmartScreen. Whenever you install any application from the Internet, SmartScreen will gather information about it and send the data to Microsoft. In the final, Released to Manufacturing version, “Windows 8 is configured to immediately tell Microsoft about every app you and download and install,” Kobeissi wrote on his blog.

He also claims that Microsoft’s servers aren’t secure enough, since they are configured to support SSLv2, which in his eyes is known to be insecure and easy to intercept. SSLv2 uses the MD5 function for authentication, which is insecure. It also facilitates the man-in-the-middle (also MITM) type of attack, in which the hacker assumes the likeness of the server to which the user believes he’s connected. However, he didn’t check whether SmartScreen does in fact use SSLv2 as well, but he’s already concerned that Microsoft’s servers do. Ultimately, an attacker could learn which applications an user has installed on their computer. Approximately 14 hours after he published his post, another scan of Microsoft’s SmartScreen servers reveals that Microsoft has reconfigured servers only to support SSLv3 connections.

On the other hand, Rafael Rivera, known for analyzing Microsoft code, calls Kobeissi’s post merely a scare piece. Rivera sheds more light on the subject by showing the code in question. For those programmers among you, it may be easy to understand.

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
<Rq V=”1.2″>
<RqT>0</RqT>
<App>
<FName>U2FtZUdhbWUuZXhl</FName>
<FHash>d3ff5939726c9f8fa6e514fb65eb470a1f9ec7a65b2706732
a03749226c2520</FHash>
<Sig>0</Sig>
<Sz>45056</Sz>
<M>1</M>
<SR>100</SR>
</App>
<ID>0F98AD9C-D498-42B3-B421-E6C97A8E61E7</ID>
<G>B68802CA-B396-4773-8FD9-EEECA4DE65D9</G>
<L>ZW4tVVM=</L>
<OS>6.2.9200.0.0</OS>
<I>OS4xMC45MjAwLjE2Mzg0</I>
<C>10.00.9200.16384</C>
<DJ>2</DJ>
</Rq>

Rivera continues to point two elements in particular: FName and FHash. FName is a Base64 encoded representation of the executable file, while FHash is a SHA256 hash of the executable contents, to eliminate filename-based false positives.

In essence, Microsoft could track what you download and install. Rafael Rivera maintains that it’s very unlikely that it will ever keep such a database matching IP addresses. Stories like these certainly inspire fear to anyone in the IT world, yet mostly it’s just hot air, and Microsoft will likely address any privacy concerns if they really present a credible threat.

Yet you have the choice, and can turn off SmartScreen whenever you like if it makes you sleep more soundly at night. To do so, just go to the Action Center, Change Windows SmartScreen settings, and click Don’t do anything (turn off SmartScreen).