Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » IE 7 security changes

IE 7 security changes

by Nikola Strahija on October 25th, 2005 Some websites might experience trouble with Internet Explorer 7 and Windows Vista, and their security changes.


One of the changes is disabled SSLv2 protocol in Explorer, which is used to carry out secure Web transactions. Instead, Explorer 7 will support SSLv3 and will enable Transport Layer Security (TLS) v1, a newer protocol. The change means that sites currently requiring SSLv2 will need to allow either SSLv3 or TLSv1.

-It's a silent improvement in security. Our research indicates that there are only a handful of sites left on the Internet that require SSLv2, wrote IE programme manager Eric Lawrence on the blog. ---Adding support for SSLv3 or TLSv1 to a website is generally a simple configuration change.

Explorer 7 will also block navigation to sites with problematic security certificates. The problems include certificates issued to a hostname other than the current URL's hostname, the certificate issued by an untrusted root and expired or revoked certificates.

Instead of giving the user a dialogue box asking how to resolve these problems, as Explorer currently does, the browser will present an error page explaining the problem. The user can choose continue to browse the site. If the user continues on, the address bar will be coloured red as a reminder of the problem.

If a page includes both secure and non-secure items, the user will no longer be initially given the option of displaying the non-secure items. Instead, only the secure items will render, and users will have to manually request that the nonsecure items be rendered.

Lawrence said this could head off future types of attacks. -Very few users (or Web developers) fully understand the security risks of rendering HTTP-delivered content within a HTTPS page, Lawrence wrote.

Other changes include the inclusion of AES security in Windows Vista and certificate revocation checking being enabled by default in Vista, Lawrence said.

A change to Vista's Transport Layer Security (TLS) implementation could cause problems for some sites. TLS will be updated to support Extensions, a feature that can cause some non-standards-compliant TLS servers to refuse connections, Lawrence said.

-If your site supports TLS, please ensure that it has a standards-compliant implementation of TLS that does not fail when extensions are present, he wrote.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »