> So this very much looks like evidence of an active system-wide certificate pinning mechanism protecting against MITM attacks on high-value Microsoft domains. Which, per se, is a good thing!
I feel like a broken record, but no, if you can't turn this off, it is not a good thing! It means you can never use an HTTPS proxy and know exactly what data is streaming off of your computer.
You can, you just need to have someone reverse engineer the pinning mechanism first to figure out how to disable or bypass it, or alternatively, log the data being wrapped in TLS. Same as has been done on mobile platforms (e.g. HttPeek for iOS).
Given that products like Fiddler still work against live.com domains on Windows 10, either the pinning isn't enabled, Fiddler knows how to bypass it, or this isn't actually related to pinning.
That's an awfully large list of domains for "hidden" telemetry. Hard to imagine why all of those would be specified for that. e.g. Some of those are just landing pages.
You can be pretty sure they collect everything that is technically possible at scale. And that there is a back-door to your system in case they need any details.
It feels good that they use encryption though. <sarcasm>
It's like plugging leaks on a sponge boat. You don't know that a. there isn't several lists, or b. they won't add it somewhere else with a future update or even c. they won't just steganographically insert it into other innocuous traffic to counter packet sniffing and hardware firewalls. Once you stop trusting the OS maker, you can't trust the OS.
The frequent and often very long lists of updates to recent Windows versions is most frustrating, as it seemed the older Windows versions received far fewer updates in their time, most if not all exclusively security updates, and were essentially free of telemetry and other annoyances.
I lost trust in MS after they started inserting telemetry and ads, i.e. in the Win8 era, then silently added the Win10 forced-upgrade crap to security updates too.
While MS using steganography seems a bit far fetched, I can't agree more with your final statement. I simple don't trust MS anymore, and it's a sad state of affairs.
In the context of OS, there is really only Apple, Microsoft, and Linux. With Linux (and to a significant extent OS X), users can understand what is going on with their computer. Apps are packaged in an easy to understand format. I can look at the human readable plists that apps use to store their config, or show package contents, for example. But I have no idea what stack Windows operates on, and Microsoft has no intention of ever letting me peek under the hood of their software. That was the general idea of Windows 7, just provide the interface and something that works, and hope to god the user doesn't want to change anything without installing 3rd party apps. A lot of people spend a very significant time on their computers, yet Microsoft has decided to tighten it's grip on how personal computing is done, because the user doesn't know what they want, apparently.
Google and Facebook offer services that I can choose to not use if I want to. The average user can't switch between OS' without at least a certain amount of knowledge, and Windows is taking advantage of its still gargantuan market share to snoop and embed things and install updates even after the user decides not to.
It's either a mistake/or English isn't their first language, regardless your wording and use of quotes makes this sound aggressive or insulting. (This sets the tone for the rest of the comment)
You understood what was meant.
>What about other big companies, for example Google? Do you trust them or not? Why?
Do you trust Apple/Facebook/<put_here_another_big_company_with_users>? Why?
As for me personally, I don't trust most large companies very much. Many large companies have a goal to collect a lot of data on you and potentially sell that data, and that's ignoring Government snooping etc.
But I still use many of their services despite that. There's a trade off to be made and occasionally it can be worth it, I just try not to give out more data than necessary.
As for Microsoft and Windows/Windows 10 specifically the stakes are higher. Assuming I'm running a Microsoft OS I'm dependent that it's operating in my best interests, everything I do on a computer is run through the OS. If my OS is compromised by the vendor (in this case Microsoft) they can collect a lot of data about me and my habits against my will.
The counter argument is usually something around the lines of "Well Google/Apple is doing all this stuff and worse!" with their mobile operating systems, which may be true. The difference is I don't use my phone for critical tasks or the majority of them, partially for that reason.
We've already lost the battle with phones, but I still want my PC to be sacred, even though it might not actually be 100% possible.
"Simple" instead of "simply" was just a typo - writing on mobile and was being a bit careless by not proofreading.
And I trust Apple and OS X/macOS a lot more than Windows, because I can more-or-less understand what my Apple OS is doing and can control it accordingly. With Windows, I can't even turn off telemetry/sharing diagnostics with Windows without a bunch of unwieldy hacks.
No guarantee you could block all tracking, although you probably cover a wide swath of the snooping by blocking the hostnames in this list (since they are owned by Microsoft). As mentioned in the article, the registry entry does seem to be regularly updated, so you’d have to keep track of any changes to it over time.
Telemetry related of course. Shame it is not properly documented. As with all things closed source we have no idea how this works, when it is updated or if it is possible to ignore it totally.
Looking at the list of domains, they appear to be almost entirely unrelated to telemetry.
Most likely this feature is a response to incidents such as this: https://www.wired.com/2011/03/comodo-compromise/ (in which certs for login.skype.com and login.live.com were misissued by Comodo).
Blocking the domains in this list to prevent telemetry, as suggested in other comments, would prevent access to most of Microsoft's online services. This includes third-party websites hosted on Azure that aren't using their own custom domain (.azurewebsites.net), and all software updates, including critical security patches.
Correct. I made a quick dump of the telemetry hosts here: https://cl.ly/hZ3q
If you have win10, you can add this to your hosts file. The optional portion of the list will block store items, the email client and even things like the Groove media player, so use it as you will.
Unless you have a source that shows otherwise, I only know if it doing that if it's formatted wrongly, which is going to be a problem with most things.
Maybe Microsoft are trying to foil m.i.t.m. attacks against their infrastructure, by reporting back certificate errors for those domains. A hacker who is developing an attack against Windows Update will need to implement a mock version of the service, redirect dns, and create self-signed certs for those domains. I think Microsoft are interested in people/organizations doing that.
Of course, this is not foolproof, and documenting the feature will just alert people they need to mock telemetry and this pinning feature first.
If you are taking this as an argument for e.g. linux over Windows, Certificate pinning is a good thing though? It helps prevent mitm attacks, as stated in the article.. (Not to say that you shouldn't run linux )
I feel like a broken record, but no, if you can't turn this off, it is not a good thing! It means you can never use an HTTPS proxy and know exactly what data is streaming off of your computer.