Why http microsoft connection in netstat check?

Question

I checked established connections with "netstat" command in command prompt, and I found that there are some connections with ip's of microsoft (I checked ip online) that have http (and not https) connection established, they bring to some svchost.exe in a Win32 folder of the system. I know that http connections are not safe, but I guess they are safe since they have microsoft ip, but why these connections are not encrypted (http)? Is it normal?

Answer 1

I don't know know what connections in particular you observed, but here are some candidates that a Windows service (the background tasks or "daemons" that run in svchost.exe processes) might be using:

• Reporting basic diagnostics and telemetry. Lots of software does some of this but Win10 in particular has a lot of telemetry that lets Microsoft know things about how the OS is used, and most people don't disable it (it's actually quite hard to disable on most Win10 editions). The data is not supposed to be personally identifying or tied to a specific user, so there's no particular need for it to be secure.
• Checking for or retrieving Windows updates. I would certainly expect this to be done over a secure connection, although in theory with enough signatures and timestamping on the traffic TLS isn't required for security (it's not like the patches themselves are secret, they just absolutely must not be tampered with).
• As part of Windows Defender, checking whether unrecognized files have been categorized as safe or not (it generally doesn't need to transmit the files themselves for this, just a non-reversible cryptographic hash, though it might upload the full files sometimes). Like the update checks, this is something I would expect to be done over TLS but in theory doesn't have to be.
• Retrieving certificates or related metadata from Microsoft (which issues its own certificates and also provides updates to the Windows ones sometimes). Since certificates are inherently signed - their entire security hinges upon it - this can and often is done over insecure connections (a TLS server sends its certificate to the client over plain text as part of, but before actually establishing the secure connection).
• Querying Microsoft servers for the time, to help keep your PC synchronized. This is often done over an insecure protocol but it's usually NTP (Network Time Protocal) which uses UDP on port 123, rather than HTTP which uses TCP on port 80.
• Checking for updates to, or downloading packages for, "Windows Store" apps. As with the Windows Update possibility, I'd be surprised if this wasn't using a secure connection.

There are probably many more that I missed, but those seem like some of the most likely to be running unexpectedly in the background, as a Windows service, and communicating with Microsoft.

Doing a reverse DNS lookup on the IP address (where you try to see what domain names are associated with the IP address), or examining the network traffic (using a tool such as Wireshark or Microsoft Message Analyzer), might help you determine what that connection is being used for.

Incidentally, Windows ships with a graphical utility called Resource Monitor that can, among other things, provide a real-time view of network connections and traffic similar to netstat, and may make it easier to trace the connection back to the service owning it.