Microsoft plans to adopt a stronger cryptography protocol in the next version of its web browser software, Internet Explorer 7. IE7 will replace the SSLv2 (Secure Socket Layer) protocol with the sturdier TLSv1 (Transport Layer Security) protocol in default HTTPS protocol settings as a means to provide improved security for ecommerce transactions, according to a posting in Redmond's official IE development blog.

Users of IE6 can manually configure these stronger settings but the changes will mean that more users will be directed towards using the stronger SSLv3 or TLSv1 protocols rather than SSLv2. The change should be seamless for end users but adoption of the stronger encryption protocol by a wider percentage of surfers could create some work for sys admins.

As part of Microsoft's "secure by default" design philosophy, IE7 will block encrypted web sessions to sites with problematic (untrusted, revoked or expired) digital certificates. Users will receive a warning when they visit potentially insecure sites, which users can choose to ignore, except where certificates are revoked. "If the user clicks through a certificate error page, the address bar will flood-fill with red to serve as a persistent notification of the problem," Lawrence explained.

The Beta 2 version of IE7 also changes the way non secure content is rendered in a secure web page. IE7 renders only the secure content by default but it offers surfers the chance to unblock the nonsecure content on a secure page using the Information Bar.

In the same posting, Microsoft also revealed that the new Windows Vista platform will offer several crypto improvements beyond what's offered by IE7. These include support for AES (Advanced Encryption Standard), a strong algorithm recently adopted as a US government standard for electronic security, which offers support for up to 256 bits encryption. Windows Vista will also enables certificate revocation checking by default. ®

Related stories

• Et tu, Gmail? Simple hack defeats last barrier to decades-old attack (1 February 2008)
• Could invisibility beat encryption? (15 January 2007)
• Security glitch bites IE7 beta (2 February 2006)
• MS seeks feedback on IE7 beta 2 (1 February 2006)
• Fully featured Windows Vista CTP coming (20 December 2005)
• Update glitch spins out IE7 beta testers (19 December 2005)
• Gartner 'clarifies' Windows Vista advice (23 November 2005)
• Browser developers team up to thwart hackers (23 November 2005)
• Gartner warns business on Vista (14 November 2005)
• Update IE7 nukes Google, Yahoo! search (28 July 2005)
• IE7 details leak onto web (16 March 2005)
• RSA 2005 Gates: security concerns propel IE7 launch (15 February 2005)
• Unholy trinity of Open SSL vulns (19 March 2004)
• Is SSL safe? (21 March 2003)
• Crypto attack against SSL outlined (21 February 2003)
• IETF puts weight behind Advanced Encryption Standard (22 July 2002)