Microsoft outlines IE 7 security plans

Microsoft is tightening up the way its Internet Explorer browser handles HTTPS for version 7, which is used to secure online transactions, in an attempt to give people more protection online.

In a posting on the Microsoft Internet Explorer blog, IE program manager Eric Lawrence said that IE 7 would support the Transport Layer Security (TLS) protocol by default.

Existing versions of IE automatically use the SSL 2.0 protocol, which is weaker than TLS, to encrypt user data, although it is possible to manually switch to TLS.

Microsoft's decision to ditch support for SSL 2.0 means that any site that still requires this protocol should upgrade, but Lawrence claimed there are "only a handful" of such sites.

Lawrence also explained how IE 7 will behave differently from earlier versions when it encounters potential security problems.

"Whenever IE6 encountered a problem with a HTTPS-delivered Web page, the user was informed via a modal dialog box and was asked to make a security decision. IE 7 follows the XPSP2 'secure by default' paradigm by defaulting to the secure behavior," said Lawrence.

IE 7 will not give users the option of seeing both secure and insecure items within an HTTPS page. With IE6, this option appears when the browser encounters an HTTPS page that includes some HTTP content. But in IE 7, only the secure content will be rendered by default, forcing the user to choose to access the rest via the information bar.

"This is an important change because very few users (or web developers) fully understand the security risks of rendering HTTP-delivered content within a HTTPS page," Lawrence claimed.

Graeme Wearden of ZDNet UK reported from London.

[libzhark]

Following suite

It's nice to see MS taking some initiative in implementing changes already being done by others.

<a class="jive-link-external" href="http://www.mozillazine.org/talkback.html?article=7252" target="_newWindow">http://www.mozillazine.org/talkback.html?article=7252</a>

I commend them for taking another stab at security, but wonder if the only reason for doing this is that others are already implementing this too.

[System Tyrant]

They are...

playing catch up in many cases, but Microsoft is probably trying to do the right thing. I am glad to see Microsoft trying to fix their own problems.

I hope it translates into real world security and not just some paper jive. My next hope is that Microsoft will adopt standards set by the W3C. I would be nice to be able to take full advantage of CSS 1&#38;2 and someday 3 (and yes I know there are no fully compliant browsers).

Still tied to the OS?

Is this release still tired to the OS, or, I'm sorry, The heart of the OS with the rest dependant on it? If so, that's there biggiest security risk right there. Apps aren't supposed to be tied to the OS, they're jsut supposed to run over it. Are they getting this yet?

[Dwaine]

Run Over By Apps

They must be getting that. I constantly feel like my MS apps are running all over me...

[Bill Dautrive]

Not supposed to be

IE7 is allegedly going to be a standalone app, despite the fact that this contridicts sworn testimony. Who knew MS lies? *snicker

I will believe MS is serious about security when they show that they are. All they have shown is that they are serious about talking about security. Security, has never been a priority with the folks in Redmond, It has only ever been worked on after the fact, after trouble has started and even then it is only weak workarounds that cause more problems.

The only way any MS product is going to be secure is if they start from scratch on every product.

XP is loaded with poorly written, buggy and unsecure code from every previous windows release. Vista will be the same, so its chances of being even reasonably secure are nil.

[i_made_this]

internetfire explorerfox #7 is ...

...coming along smartly - bravo MSFT. we can't wait to see the alpha ie 7 with one tenth the security features of firefox. i for one am surely holding my breath. now, if only there were something you could do about that pesky ActiveX.

[kensystem]

At it again

It looks like a spittin image of Firefox and Safari. Just some color changes, but the same basic layout and simplicified buttons, colored URL bar, lock placement, tabs, icon in the tab and URL bar. The great imitator is at it again. Aumusing.