Cryptocat Developer Explains the Privacy Implications of Windows 8 SmartScreen (Updated)

SmartScreen is a new default feature implemented by Microsoft in Windows 8, its main purpose being to screen all the applications installed by a user to ensure that they're not malicious. Nadim Kobeissi – an independent security researcher and the developer of Cryptocat – claims that the feature may bring some serious privacy risks.

During the screening process, the details of the apps downloaded and installed by the customer are sent back to Microsoft’s servers, Kobeissi notes on his personal blog.

“This is a very serious privacy problem, specifically because Microsoft is the central point of authority and data collection/retention here and therefore becomes vulnerable to being served judicial subpoenas or National Security Letters intended to monitor targeted users,” the expert explained.

“This situation is exacerbated when Windows 8 is deployed in countries experiencing political turmoil or repressive political situations.”

Furthermore, he believes that it’s possible for an attacker to intercept SmartScreen’s communications. The Redmond company’s server which handles these requests uses IIS 7.5 and it’s configured to support SSLv2.

It’s uncertain if SmartScreen does in fact utilize SSLv2, but if it does, there could be serious implications because this protocol is known to have security holes.

“The SSL Certificate Authority chain goes down from ‘GTE CyberTrust Global Root’ to ‘Microsoft Secure Server Authority.’ The Certificate Authority model is itself susceptible to some serious problems,” the researcher added.

In theory, a malicious third party could leverage these flaws to identify the applications utilized by a certain customer and use the information to launch targeted attacks against him/her.

Also, the fact that the user is not informed of how SmartScreen works and the privacy risks that come with it during the installation process of Windows 8 is another concern expressed by Kobeissi.

We have reached out to Microsoft representatives hoping to get their side of the story and we’ll update this article once they respond.

Update. Microsoft has responded to our inquiry. A spokesperson has stated that they're not "building a historical database of program and user IP data. Furthermore, the vulnerable SSL2.0 protocol is not utilized, as  Kobeissi assumed.

The complete statement and further explanations are available here.