Feeds

Getting on the right side of IE 7 security

Like it or loathe it, you have to know about it

Secure remote control for conventional and virtual desktops

As Internet Explorer tries to get serious on security, you have to find out how to make sure you don't look like one of the bad guys. When it comes to security, things are rarely black and white: my handy IM Web client is your potential security hole. The issue is, who is in control: you as the site developer; or the user who owns the PC Internet Explorer is running on.

You want to get a site that looks and works the way you want; the user wants a browser that blocks phishing attacks and doesn't let sites reset the home page. IE Program Manager Rob Franco jokes about it: "My goal with IE 7 is to protect the system against the most destructive force in the universe; my brother, who believes that everything on the internet should be free and will click on anything to get it."

But protecting the naïve user from the malicious attacker can mean the blameless developer loses a feature they were relying on. Vista Beta 2 secures what's just been renamed Internet Explorer 7+ by running it in a new protected mode, which restricts the changes IE can make to the registry and the files it can update; but other security-related changes apply to IE 7 for Windows XP as well.

Take the phishing filter built into IE 7 to spot fake sites; this has already been triggered over 170,000 times during the beta, which is good news - if they're really fake banking sites or some such. But what do you do to make sure your site doesn't trip it accidentally?

To avoid making it too easy for the phishing sites, Microsoft hasn’t produced a full list of the heuristics the filter uses and as well as blocking URLs collected by security companies like Cyota and Internet Identity, it's a learning system, so the list of sites blocked will change as phishing sites evolve. If you're collecting personal information about users, secure your site with SSL and don't link to a site by the IP address rather than the URL.

From the few details in the Anti-Phishing white paper, the filter will also look for sites incorporating content or scripts from another domain. But the best approach is to test your site in IE 7 (or use the Phishing Filter add-on for the MSN Toolbar); if it is marked as a suspicious site or blocked as a malicious site, you'll see a link to report that it's not malicious. Franco promises reports from site owners will go to the top of the list for checking [but don't underestimate the potential business problems, to do with reputation and email for example, from being a "false positive" - test early and, presumably, retest at intervals - Ed].

The gopher protocol is now disabled fully, rather than just off by default; telnet is gone as well. You can't change the status bar via script for sites in the internet and restricted zones. You can't close a browser window from a script unless you created it by scripting in the first place. You can't hide the address bar in a pop-up window any more. And DHTML scriptlets are disabled by default (although users can turn them back on from the control panel).

There aren't many sites left using the weaker SSL 2.0; IE 7 won't support this, so now is a good time to switch to SSL 3.0 or Transport Layer Security (TLS). Virtual HTTPS hosting (with TLS Server Name Indication) is supported, but only in Vista. IE 7 also blocks sites with expired or revoked certificates, and where the certificate doesn’t match your URL (so you can’t use the certificate for www.mydomain.com on secure.mydomain.com, say, unless you have a wildcard *.mydomain.com certificate). And if you're only using base64 encoding to protect usernames and passwords, your users will see a warning that this is insecure.

If you mix secure and insecure content on a page, instead of seeing a dialog box that everyone turns off straight away, the content delivered by HTTP will be blocked until the user allows it from the InfoBar. This helps ensure that everything on the login page comes from your secure server and there are no links that could send users to a malicious secure server instead - all the lock icon proves is that you have a secured connection, not who you're connected to.

IE 7 will also support higher assurance SSL certificates when the standard is finalised, turning the address bar green to show you're using a certificate that's the legal equivalent of a company-approved signature. You can get a test root certificate here and try it out in IE 7 at this Microsoft demo site.

ActiveX handling has changed yet again. There are some popular ActiveX controls like Flash, Acrobat Reader and RealPlayer that will always work but, by default, ActiveX controls that are already installed on a PC will be disabled until the user allows them from the InfoBar. If they download an ActiveX control through IE 7, it won't be blocked and if they've already chosen to use an ActiveX control before they upgraded to IE 7 it won't be blocked, but you won't be able to access ActiveX controls on a user's PC without them knowing about it.

You can write to the Windows registry to pre-activate controls that are already on the PC; or to activate controls installed as part of your application (because they've been installed by software rather than a user, they'll be disabled).

Franco admits there is some risk of hackers using social engineering to reactivate a vulnerable control already on the PC, but Microsoft can block insecure controls directly. And no matter how many security improvements Microsoft makes in Internet Explorer, there isn't a security process that the determined user can't find a way to bypass. ®

Security for virtualized datacentres

More from The Register

next story
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
Sway: Microsoft's new Office app doesn't have an Undo function
Content aggregation, meet the workplace ... oh
Sign off my IT project or I’ll PHONE your MUM
Honestly, it’s a piece of piss
Return of the Jedi – Apache reclaims web server crown
.london, .hamburg and .公司 - that's .com in Chinese - storm the web server charts
NetWare sales revive in China thanks to that man Snowden
If it ain't Microsoft, it's in fashion behind the Great Firewall
Chrome 38's new HTML tag support makes fatties FIT and SKINNIER
First browser to protect networks' bandwith using official spec
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.