Microsoft has revealed some of the security changes to the upcoming Internet Explorer 7 and Windows Vista -- changes that
could cause trouble for some Web sites.
One key change is that Explorer will disable SSLv2, an older version of the SSL (Secure Sockets Layer) protocol. SSL is used
to carry out secure Web transactions. In its place, Explorer 7 will continue to support SSLv3 and will enable Transport Layer
Security (TLS) v1, a newer protocol.
The change means that sites currently requiring SSLv2 will need to allow either SSLv3 or TLSv1, Microsoft said on its Internet
Explorer Weblog, part of the Microsoft Developer Network (MSDN).
Microsoft downplayed the possible disruption caused by the change. "It's a silent improvement in security. Our research indicates
that there are only a handful of sites left on the Internet that require SSLv2," wrote IE program manager Eric Lawrence on
the blog. "Adding support for SSLv3 or TLSv1 to a website is generally a simple configuration change."
SSLv2 was the first public version of SSL, and suffers from several well-known weaknesses -- for example, it doesn't provide
any protection against man-in-the-middle attacks during the handshake, and uses the same cryptographic keys are used for message
authentication and for encryption. These and other problems have been fixed in SSLv3, but the older version is still supported
by most browsers and is in use on some systems.
IE 7 will introduce some changes to the user experience, including blocking navigation to sites with problematic security
certificates. The problems include certificates issued to a hostname other than the current URL's hostname - for example,
secure.example.com instead of www.example.com; the certificate issued by an untrusted root; and expired or revoked certificates.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
