Feeds

Getting on the right side of IE 7 security

Like it or loathe it, you have to know about it

Boost IT visibility and business value

As Internet Explorer tries to get serious on security, you have to find out how to make sure you don't look like one of the bad guys. When it comes to security, things are rarely black and white: my handy IM Web client is your potential security hole. The issue is, who is in control: you as the site developer; or the user who owns the PC Internet Explorer is running on.

You want to get a site that looks and works the way you want; the user wants a browser that blocks phishing attacks and doesn't let sites reset the home page. IE Program Manager Rob Franco jokes about it: "My goal with IE 7 is to protect the system against the most destructive force in the universe; my brother, who believes that everything on the internet should be free and will click on anything to get it."

But protecting the naïve user from the malicious attacker can mean the blameless developer loses a feature they were relying on. Vista Beta 2 secures what's just been renamed Internet Explorer 7+ by running it in a new protected mode, which restricts the changes IE can make to the registry and the files it can update; but other security-related changes apply to IE 7 for Windows XP as well.

Take the phishing filter built into IE 7 to spot fake sites; this has already been triggered over 170,000 times during the beta, which is good news - if they're really fake banking sites or some such. But what do you do to make sure your site doesn't trip it accidentally?

To avoid making it too easy for the phishing sites, Microsoft hasn’t produced a full list of the heuristics the filter uses and as well as blocking URLs collected by security companies like Cyota and Internet Identity, it's a learning system, so the list of sites blocked will change as phishing sites evolve. If you're collecting personal information about users, secure your site with SSL and don't link to a site by the IP address rather than the URL.

From the few details in the Anti-Phishing white paper, the filter will also look for sites incorporating content or scripts from another domain. But the best approach is to test your site in IE 7 (or use the Phishing Filter add-on for the MSN Toolbar); if it is marked as a suspicious site or blocked as a malicious site, you'll see a link to report that it's not malicious. Franco promises reports from site owners will go to the top of the list for checking [but don't underestimate the potential business problems, to do with reputation and email for example, from being a "false positive" - test early and, presumably, retest at intervals - Ed].

The gopher protocol is now disabled fully, rather than just off by default; telnet is gone as well. You can't change the status bar via script for sites in the internet and restricted zones. You can't close a browser window from a script unless you created it by scripting in the first place. You can't hide the address bar in a pop-up window any more. And DHTML scriptlets are disabled by default (although users can turn them back on from the control panel).

There aren't many sites left using the weaker SSL 2.0; IE 7 won't support this, so now is a good time to switch to SSL 3.0 or Transport Layer Security (TLS). Virtual HTTPS hosting (with TLS Server Name Indication) is supported, but only in Vista. IE 7 also blocks sites with expired or revoked certificates, and where the certificate doesn’t match your URL (so you can’t use the certificate for www.mydomain.com on secure.mydomain.com, say, unless you have a wildcard *.mydomain.com certificate). And if you're only using base64 encoding to protect usernames and passwords, your users will see a warning that this is insecure.

If you mix secure and insecure content on a page, instead of seeing a dialog box that everyone turns off straight away, the content delivered by HTTP will be blocked until the user allows it from the InfoBar. This helps ensure that everything on the login page comes from your secure server and there are no links that could send users to a malicious secure server instead - all the lock icon proves is that you have a secured connection, not who you're connected to.

IE 7 will also support higher assurance SSL certificates when the standard is finalised, turning the address bar green to show you're using a certificate that's the legal equivalent of a company-approved signature. You can get a test root certificate here and try it out in IE 7 at this Microsoft demo site.

ActiveX handling has changed yet again. There are some popular ActiveX controls like Flash, Acrobat Reader and RealPlayer that will always work but, by default, ActiveX controls that are already installed on a PC will be disabled until the user allows them from the InfoBar. If they download an ActiveX control through IE 7, it won't be blocked and if they've already chosen to use an ActiveX control before they upgraded to IE 7 it won't be blocked, but you won't be able to access ActiveX controls on a user's PC without them knowing about it.

You can write to the Windows registry to pre-activate controls that are already on the PC; or to activate controls installed as part of your application (because they've been installed by software rather than a user, they'll be disabled).

Franco admits there is some risk of hackers using social engineering to reactivate a vulnerable control already on the PC, but Microsoft can block insecure controls directly. And no matter how many security improvements Microsoft makes in Internet Explorer, there isn't a security process that the determined user can't find a way to bypass. ®

Boost IT visibility and business value

More from The Register

next story
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
Intel's Raspberry Pi rival Galileo can now run Windows
Behold the Internet of Things. Wintel Things
Linux Foundation says many Linux admins and engineers are certifiable
Floats exam program to help IT employers lock up talent
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Eat up Martha! Microsoft slings handwriting recog into OneNote on Android
Freehand input on non-Windows kit for the first time
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.