← Back to context

Comment by Terr_

2 days ago

I would be shocked if Microsoft was not using their own layer of certificate-pinning to stop people from doing that, and/or using another layer of encryption separate from the networking layer.

Only way to see what's going on is testing to see what's going on. Hopefully, someone who knows more about it than me can take a look at the packets and see what they contain.

  • I found this talk [0] and some of the slides suggest that Windows is, at least in some circumstances, packaging web-browsing data into telemetry.

    To lift examples from the slides, that includes page titles:

        "CorrelationGuid": "7da62b73-082f-4eb2-a370-135d0113e1dd",
        "EventInfo.Level": 2,
        "PageTitle": "SiSyPHuS AFUNKT - Search",
        "TabId": 830425073,
        "client_id": -7497793556371901000,
        "pop_sample": 100,
        "utc_flags": 140737488355328
        

    The transitions between pages:

        "IsSameDocumentNavigation": 0,
        "client_id": -7497793556371901000,
        "navigationUrl": "https://www.bsi.bund.de/DE/Service-
        Navi/Publikationen/Studien/SiSyPHuS_Win10/AFUNKT/SiSyPHuS_AFUNKT_node.html",
        "referUrl": "https://www.bing.com/",
        "HttpStatusCode": 200,
    

    And even which link you clicked in the page:

        "DOMElementPath": "A|1||c-link%20c-link--download%20FTpdf;P|5[…]gsb%20lang-de%20fixed%20js-on;HTML|1||",
        "DOMAnchorHrefUrl": "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/SiSyPHus/AFUNKT.pdf?__blob=publicationFile&v=6",
    

    [0] https://troopers.de/troopers23/talks/bsabut/

But you'd still see some encrypted traffic and it wouldn't fly under a radar