Feeds

Getting on the right side of IE 7 security

Like it or loathe it, you have to know about it

Beginner's guide to SSL certificates

As Internet Explorer tries to get serious on security, you have to find out how to make sure you don't look like one of the bad guys. When it comes to security, things are rarely black and white: my handy IM Web client is your potential security hole. The issue is, who is in control: you as the site developer; or the user who owns the PC Internet Explorer is running on.

You want to get a site that looks and works the way you want; the user wants a browser that blocks phishing attacks and doesn't let sites reset the home page. IE Program Manager Rob Franco jokes about it: "My goal with IE 7 is to protect the system against the most destructive force in the universe; my brother, who believes that everything on the internet should be free and will click on anything to get it."

But protecting the naïve user from the malicious attacker can mean the blameless developer loses a feature they were relying on. Vista Beta 2 secures what's just been renamed Internet Explorer 7+ by running it in a new protected mode, which restricts the changes IE can make to the registry and the files it can update; but other security-related changes apply to IE 7 for Windows XP as well.

Take the phishing filter built into IE 7 to spot fake sites; this has already been triggered over 170,000 times during the beta, which is good news - if they're really fake banking sites or some such. But what do you do to make sure your site doesn't trip it accidentally?

To avoid making it too easy for the phishing sites, Microsoft hasn’t produced a full list of the heuristics the filter uses and as well as blocking URLs collected by security companies like Cyota and Internet Identity, it's a learning system, so the list of sites blocked will change as phishing sites evolve. If you're collecting personal information about users, secure your site with SSL and don't link to a site by the IP address rather than the URL.

From the few details in the Anti-Phishing white paper, the filter will also look for sites incorporating content or scripts from another domain. But the best approach is to test your site in IE 7 (or use the Phishing Filter add-on for the MSN Toolbar); if it is marked as a suspicious site or blocked as a malicious site, you'll see a link to report that it's not malicious. Franco promises reports from site owners will go to the top of the list for checking [but don't underestimate the potential business problems, to do with reputation and email for example, from being a "false positive" - test early and, presumably, retest at intervals - Ed].

The gopher protocol is now disabled fully, rather than just off by default; telnet is gone as well. You can't change the status bar via script for sites in the internet and restricted zones. You can't close a browser window from a script unless you created it by scripting in the first place. You can't hide the address bar in a pop-up window any more. And DHTML scriptlets are disabled by default (although users can turn them back on from the control panel).

There aren't many sites left using the weaker SSL 2.0; IE 7 won't support this, so now is a good time to switch to SSL 3.0 or Transport Layer Security (TLS). Virtual HTTPS hosting (with TLS Server Name Indication) is supported, but only in Vista. IE 7 also blocks sites with expired or revoked certificates, and where the certificate doesn’t match your URL (so you can’t use the certificate for www.mydomain.com on secure.mydomain.com, say, unless you have a wildcard *.mydomain.com certificate). And if you're only using base64 encoding to protect usernames and passwords, your users will see a warning that this is insecure.

If you mix secure and insecure content on a page, instead of seeing a dialog box that everyone turns off straight away, the content delivered by HTTP will be blocked until the user allows it from the InfoBar. This helps ensure that everything on the login page comes from your secure server and there are no links that could send users to a malicious secure server instead - all the lock icon proves is that you have a secured connection, not who you're connected to.

IE 7 will also support higher assurance SSL certificates when the standard is finalised, turning the address bar green to show you're using a certificate that's the legal equivalent of a company-approved signature. You can get a test root certificate here and try it out in IE 7 at this Microsoft demo site.

ActiveX handling has changed yet again. There are some popular ActiveX controls like Flash, Acrobat Reader and RealPlayer that will always work but, by default, ActiveX controls that are already installed on a PC will be disabled until the user allows them from the InfoBar. If they download an ActiveX control through IE 7, it won't be blocked and if they've already chosen to use an ActiveX control before they upgraded to IE 7 it won't be blocked, but you won't be able to access ActiveX controls on a user's PC without them knowing about it.

You can write to the Windows registry to pre-activate controls that are already on the PC; or to activate controls installed as part of your application (because they've been installed by software rather than a user, they'll be disabled).

Franco admits there is some risk of hackers using social engineering to reactivate a vulnerable control already on the PC, but Microsoft can block insecure controls directly. And no matter how many security improvements Microsoft makes in Internet Explorer, there isn't a security process that the determined user can't find a way to bypass. ®

Security for virtualized datacentres

More from The Register

next story
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
Not appy with your Chromebook? Well now it can run Android apps
Google offers beta of tricky OS-inside-OS tech
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
NHS grows a NoSQL backbone and rips out its Oracle Spine
Open source? In the government? Ha ha! What, wait ...?
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.