HEAD requests likely used to determine landing page.
Is
Microsoft
checking all the links you share via
Skype
? German online magazine
Heise
thinks so.
A reader of security magazine
Heise
discovered that all URLs sent via
Skype
chat received a request from an IP address that was registered with
Microsoft
(which bought
Skype
in 2011).
Heise
managed to verify this claim and found that even URLs that included (fake) login credentials and were sent over HTTPS received such requests.
When asked about this by
Heise
, a spokesperson for
Skype
pointed to its privacy policy, which states that automatic scanning may take place to detect spam sent over the service. The magazine says the facts speak against
Skype
, for the requests are HEAD requests, which only ask for the server to send the HTTP headers, as opposed to the common GET requests, which ask for the full web page and which would be needed to scan its content.
However, I have to side with
Skype
here. A problem with URLs – especially those used for malicious purposes – is that many of them redirect to another URL, usually on another domain. The common use of URL shorteners, as well as compromised websites, for this purpose means that checking a URL against a blacklist is not always an effective way to block malicious URLs. And that’s what HEAD requests are used for: one or more of them can determine the landing page without the need to request the full web pages.
Of course, requesting the full pages would give
Skype
insight into the actual content of these pages, which would make it more effective at blocking spam. But doing so would also infringe the users’ privacy – and thus I think they have made the correct decision here.
Sure, if you believe that mere knowledge of the existence of a URL would infringe your privacy (and there are certainly circumstances where this may be the case) this is a problem – but in such cases, sharing it using a third-party system is probably not a good idea in the first place. The inclusion of credentials in URLs, even if they are sent via HTTPS, is not common, and rather bad practice.
Heise
‘s article can be found
here
(in German).
Posted on 14 May 2013 by
Martijn Grooten
Leave a Reply