Getting on the right side of IE 7 security
Like it or loathe it, you have to know about it
As Internet Explorer tries to get serious on security, you have to find out how to make sure you don't look like one of the bad guys. When it comes to security, things are rarely black and white: my handy IM Web client is your potential security hole. The issue is, who is in control: you as the site developer; or the user who owns the PC Internet Explorer is running on.
You want to get a site that looks and works the way you want; the user wants a browser that blocks phishing attacks and doesn't let sites reset the home page. IE Program Manager Rob Franco jokes about it: "My goal with IE 7 is to protect the system against the most destructive force in the universe; my brother, who believes that everything on the internet should be free and will click on anything to get it."
But protecting the naïve user from the malicious attacker can mean the blameless developer loses a feature they were relying on. Vista Beta 2 secures what's just been renamed Internet Explorer 7+ by running it in a new protected mode, which restricts the changes IE can make to the registry and the files it can update; but other security-related changes apply to IE 7 for Windows XP as well.
Take the phishing filter built into IE 7 to spot fake sites; this has already been triggered over 170,000 times during the beta, which is good news - if they're really fake banking sites or some such. But what do you do to make sure your site doesn't trip it accidentally?
To avoid making it too easy for the phishing sites, Microsoft hasn’t produced a full list of the heuristics the filter uses and as well as blocking URLs collected by security companies like Cyota and Internet Identity, it's a learning system, so the list of sites blocked will change as phishing sites evolve. If you're collecting personal information about users, secure your site with SSL and don't link to a site by the IP address rather than the URL.
From the few details in the Anti-Phishing white paper, the filter will also look for sites incorporating content or scripts from another domain. But the best approach is to test your site in IE 7 (or use the Phishing Filter add-on for the MSN Toolbar); if it is marked as a suspicious site or blocked as a malicious site, you'll see a link to report that it's not malicious. Franco promises reports from site owners will go to the top of the list for checking [but don't underestimate the potential business problems, to do with reputation and email for example, from being a "false positive" - test early and, presumably, retest at intervals - Ed].
The gopher protocol is now disabled fully, rather than just off by default; telnet is gone as well. You can't change the status bar via script for sites in the internet and restricted zones. You can't close a browser window from a script unless you created it by scripting in the first place. You can't hide the address bar in a pop-up window any more. And DHTML scriptlets are disabled by default (although users can turn them back on from the control panel).
There aren't many sites left using the weaker SSL 2.0; IE 7 won't support this, so now is a good time to switch to SSL 3.0 or Transport Layer Security (TLS). Virtual HTTPS hosting (with TLS Server Name Indication) is supported, but only in Vista. IE 7 also blocks sites with expired or revoked certificates, and where the certificate doesn’t match your URL (so you can’t use the certificate for www.mydomain.com on secure.mydomain.com, say, unless you have a wildcard *.mydomain.com certificate). And if you're only using base64 encoding to protect usernames and passwords, your users will see a warning that this is insecure.
If you mix secure and insecure content on a page, instead of seeing a dialog box that everyone turns off straight away, the content delivered by HTTP will be blocked until the user allows it from the InfoBar. This helps ensure that everything on the login page comes from your secure server and there are no links that could send users to a malicious secure server instead - all the lock icon proves is that you have a secured connection, not who you're connected to.
IE 7 will also support higher assurance SSL certificates when the standard is finalised, turning the address bar green to show you're using a certificate that's the legal equivalent of a company-approved signature. You can get a test root certificate here and try it out in IE 7 at this Microsoft demo site.
ActiveX handling has changed yet again. There are some popular ActiveX controls like Flash, Acrobat Reader and RealPlayer that will always work but, by default, ActiveX controls that are already installed on a PC will be disabled until the user allows them from the InfoBar. If they download an ActiveX control through IE 7, it won't be blocked and if they've already chosen to use an ActiveX control before they upgraded to IE 7 it won't be blocked, but you won't be able to access ActiveX controls on a user's PC without them knowing about it.
You can write to the Windows registry to pre-activate controls that are already on the PC; or to activate controls installed as part of your application (because they've been installed by software rather than a user, they'll be disabled).
Franco admits there is some risk of hackers using social engineering to reactivate a vulnerable control already on the PC, but Microsoft can block insecure controls directly. And no matter how many security improvements Microsoft makes in Internet Explorer, there isn't a security process that the determined user can't find a way to bypass. ®
Sponsored: Protecting mobile certificates