Source URL: https://berthub.eu/articles/posts/shifting-cyber-norms-microsoft-post/
Source: Hacker News
Title: Shifting Cyber Norms: Microsoft security POST-ing to you
Feedly Summary: Comments
AI Summary and Description: Yes
Summary: The text discusses the increasing intrusion of email security scanners, particularly by Microsoft, which now not only performs GET requests but also executes JavaScript and sends POST requests on behalf of users, leading to complications with single-use login links and potentially breaking existing cyber norms. It calls for a reevaluation of security practices and demands greater transparency from major digital gatekeepers.
Detailed Description:
The content provides insights into the evolving landscape of security norms concerning email interactions, especially for services requiring user logins and confirmations. It raises important considerations for developers and security professionals regarding how major players like Microsoft influence security practices and the broader implications of these changes.
Key Points include:
– **Change in Cyber Norms**:
– Historical perspective on changing norms related to email and web interactions, such as the acceptability of spam filters and software performing automatic updates.
– Discussion of idempotence in HTTP requests, highlighting the importance of GET vs. POST requests in web security.
– **Impact of Microsoft’s Email Scanning**:
– Microsoft email scanners click links and execute JavaScript, leading to unexpected POST requests from their IP addresses, which can consume single-use links meant for user authentication.
– This practice is presented as a significant violation of established norms where POST requests should not occur without explicit user action.
– **Developer Strategies**:
– Emphasis on the need for developers to prepare for automated endpoint interactions, necessitating changes in how single-use links or email confirmations are designed.
– Suggests implementing multiple rounds of verification or CAPTCHA to mitigate inappropriate automatic requests but also cautions that this might compromise user experience.
– **Transparency and Accountability**:
– There’s a call to action for larger tech organizations, termed ‘designated gatekeepers’ under the EU Digital Markets Act, to be more transparent regarding their practices and the impact they have on online interactions.
– The concern that without such transparency, these entities may continue to make changes that disrupt user interactions or security protocols without due notice.
Overall, security and compliance professionals must consider how these developments affect the integrity of login systems, user trust, and the efficacy of their security measures as they develop solutions that align with emerging norms in a landscape increasingly influenced by macro-level players like Microsoft. The insights presented reflect critical concerns regarding user authentication and the evolving expectations for privacy and security in the digital age.