Microsoft outlines Explorer 7 security changes

Microsoft has revealed some of the security changes to the upcoming Internet Explorer 7 and Windows Vista -- changes that could cause trouble for some Web sites.

One key change is that Explorer will disable SSLv2, an older version of the SSL (Secure Sockets Layer) protocol. SSL is used to carry out secure Web transactions. In its place, Explorer 7 will continue to support SSLv3 and will enable Transport Layer Security (TLS) v1, a newer protocol.

The change means that sites currently requiring SSLv2 will need to allow either SSLv3 or TLSv1, Microsoft said on its Internet Explorer Weblog, part of the Microsoft Developer Network (MSDN).

Microsoft downplayed the possible disruption caused by the change. "It's a silent improvement in security. Our research indicates that there are only a handful of sites left on the Internet that require SSLv2," wrote IE program manager Eric Lawrence on the blog. "Adding support for SSLv3 or TLSv1 to a website is generally a simple configuration change."

SSLv2 was the first public version of SSL, and suffers from several well-known weaknesses -- for example, it doesn't provide any protection against man-in-the-middle attacks during the handshake, and uses the same cryptographic keys are used for message authentication and for encryption. These and other problems have been fixed in SSLv3, but the older version is still supported by most browsers and is in use on some systems.

IE 7 will introduce some changes to the user experience, including blocking navigation to sites with problematic security certificates. The problems include certificates issued to a hostname other than the current URL's hostname - for example, secure.example.com instead of www.example.com; the certificate issued by an untrusted root; and expired or revoked certificates.

Instead of giving the user a dialog box asking how to resolve these problems, as IE currently does, the browser will present an error page explaining the problem. The user can, however, choose continue to browse the site, unless the certificate has been revoked, Lawrence said. If the user continues on, the address bar will be colored red as a reminder of the problem.

"Ensure that the hostnames used for your secure pages exactly match the hostname in your digital certificate," Lawrence advised.

If a page includes both secure and non-secure items, the user will no longer be initially given the option of displaying the non-secure items. Instead, only the secure items will render, and users will have to manually request that the nonsecure items be rendered.

Lawrence said this could head off future types of attacks. "Very few users (or Web developers) fully understand the security risks of rendering HTTP-delivered content within a HTTPS page," he wrote.

Other changes include the inclusion of AES security in Windows Vista and certificate revocation checking being enabled by default in Vista, Lawrence said.

A change to Vista's Transport Layer Security (TLS) implementation could cause problems for some sites. TLS will be updated to support Extensions, a feature that can cause some non-standards-compliant TLS servers to refuse connections, Lawrence said.

"If your site supports TLS, please ensure that it has a standards-compliant implementation of TLS that does not fail when extensions are present," he wrote.