upvote
The article links to this page, which was shared on HN yesterday. [1]

I feel like using wireshark to look at what's being sent back and forth from Windows telemetry, when using Edge, Chrome & etc should reveal what's being sent and recieved. Using MITM SSL spoofing should be able to intercept the packets.

[1] https://github.com/SmtimesIWndr/gdid-reversal

reply
I would be shocked if Microsoft was not using their own layer of certificate-pinning to stop people from doing that, and/or using another layer of encryption separate from the networking layer.
reply
Only way to see what's going on is testing to see what's going on. Hopefully, someone who knows more about it than me can take a look at the packets and see what they contain.
reply
I found this talk [0] and some of the slides suggest that Windows is, at least in some circumstances, packaging web-browsing data into telemetry.

To lift examples from the slides, that includes page titles:

    "CorrelationGuid": "7da62b73-082f-4eb2-a370-135d0113e1dd",
    "EventInfo.Level": 2,
    "PageTitle": "SiSyPHuS AFUNKT - Search",
    "TabId": 830425073,
    "client_id": -7497793556371901000,
    "pop_sample": 100,
    "utc_flags": 140737488355328
    
The transitions between pages:

    "IsSameDocumentNavigation": 0,
    "client_id": -7497793556371901000,
    "navigationUrl": "https://www.bsi.bund.de/DE/Service-
    Navi/Publikationen/Studien/SiSyPHuS_Win10/AFUNKT/SiSyPHuS_AFUNKT_node.html",
    "referUrl": "https://www.bing.com/",
    "HttpStatusCode": 200,
And even which link you clicked in the page:

    "DOMElementPath": "A|1||c-link%20c-link--download%20FTpdf;P|5[…]gsb%20lang-de%20fixed%20js-on;HTML|1||",
    "DOMAnchorHrefUrl": "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/SiSyPHus/AFUNKT.pdf?__blob=publicationFile&v=6",
[0] https://troopers.de/troopers23/talks/bsabut/
reply
What application is doing the sending and where is it being sent?
reply
But you'd still see some encrypted traffic and it wouldn't fly under a radar
reply
It's Microsoft Defender SmartScreen in Edge.

You can also use the Windows Diagnostic Viewer to check the telemetry data being shipped to Microsoft. I'd be willing to bet that you could use Edge (with defaults) and see the URLs being sent to Microsoft but nothing would come from Brave, Firefox, Chrome etc.

reply
I was under the impression Windows is unreliable for these kind of activities as they are "leakish".

I imagine it's not too difficult to narrow down the potential suspects with how much data points you'd get from ISP, Windows telemetry, and whatever.

reply
"all" would be troubling indeed. I hope that someone can discover the mechanism, and whether it's depending on any settings like "Share browsing data with other Windows features" or any other settings.
reply
Worse than just domains as TFA shows full URLs are recorded.

Reminds me of Google Safebrowsing.

reply
Possibly the same but done by Edge?
reply