[ news_security_news ]
Microsoft IE 7 Bids For Security
David Utter
Staff Writer
2006-05-26
 Insider Reports RSS Feed
A number of security changes in Internet Explorer 7 beta 2 demonstrate how Microsoft developers have tried to address those concerns.
Microsoft detailed some of those changes in a check list for IT pros, as well as for other users of its newest version of Internet Explorer beta 2.
SSL 2.0 support has been turned off in the IE 7 browser, and support for HTML scriptlets is off by default. Also, sites that use HTTPS to deliver secure content must deliver a valid certificate for their DNS names.
IE 7 no longer allows for HTTP content to be contained in an HTTPS page. The IE blog spelled out potential problems for allowing that mixed content on a page:
For one thing, it's impossible for the user to tell what parts of the page were delivered securely, and what parts were not. And worse, if a man-in-the-middle can rewrite the HTTP traffic, he can, for instance, rewrite the HTTPS page using standard DHTML. Or, he can scan the page for any information of interest (e.g. a credit card number) and POST that data to a server he controls. Using HTTP-delivered resources on a HTTPS-delivered page pokes holes in your secure channel. Don't do it.
Microsoft integrated its Phishing Filter into IE 7. This tool detects suspicious websites and warns the user that the site could be unsafe, or is on Microsoft's list of unsafe sites. Developers will want to verify their legitimate applications do not trigger the filter.
---
Tags: Microsoft, IE 7, Security
Add to  Del.icio.us |  Digg |  Yahoo! My Web |  Furl
Get all the updates in RSS: 
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
More news_security_news Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
