Microsoft has revealed some of the security changes to its forthcoming Internet Explorer 7.0 and Windows Vista offerings - changes that could cause trouble for some websites.
SSL 2.0 gets the boot
One key change is that Explorer will disable SSL 2.0, a comparatively old version of the SSL (Secure Sockets Layer) protocol used to carry out secure web transactions. Explorer 7.0 will continue to support SSL 3.0 and will enable Transport Layer Security (TLS) 1.0, a newer protocol.
The change means that sites currently requiring SSL 2.0 will need to allow either SSL 3.0 or TLS 1.0, Microsoft said on its Internet Explorer weblog, part of the Microsoft Developer Network (MSDN).
Microsoft downplayed possible disruption caused by the change. "It's a silent improvement in security. Our research indicates that there are only a handful of sites left on the internet that require SSL 2.0," wrote IE program manager Eric Lawrence on the blog. "Adding support for SSL 3.0 or TLS 1.0 to a website is generally a simple configuration change."
SSL 2.0 was the first public version of SSL, and suffers from several well-known weaknesses. For example, it doesn't provide any protection against so-called 'man-in-the-middle' attacks, and uses the same cryptographic keys for message authentication and encryption. These and other problems have been fixed in SSL 3.0, but the older version is still supported by most browsers and is in use on some systems.
IE 7.0 will introduce some changes to the user experience, such as blocking navigation to sites with problematic security certificates. The problems include certificates issued to a hostname other than the current URL's hostname - for example, secure.example.com instead of www.example.com; the certificate issued by an untrusted root; and expired or revoked certificates.
Instead of giving the user a dialog box asking how to resolve these problems, as IE currently does, the browser will present an error page explaining the problem. The user can, however, choose to continue browsing the site, unless the certificate has been revoked, Lawrence said. If the user continues, the address bar will be coloured red as a reminder of the problem.
"Ensure that the hostnames used for your secure pages exactly match the hostname in your digital certificate," Lawrence advised.
If a page includes both secure and non-secure items, the user will no longer be initially given the option of displaying the non-secure items. Instead, only the secure items will render, and users will have to manually request that the non-secure items be rendered.
Lawrence said this could head off future types of attacks. "Very few users (or web developers) fully understand the security risks of rendering HTTP-delivered content within a HTTPS page," he wrote.
Other changes include the inclusion of AES security in Windows Vista and certificate revocation checking being enabled by default in Vista, Lawrence said.
A change to Vista's TLS implementation could cause problems for some sites. TLS will be updated to support Extensions, a feature that can cause some non-standards-compliant TLS servers to refuse connections, Lawrence said.
"If your site supports TLS, please ensure that it has a standards-compliant implementation of TLS that does not fail when extensions are present," he wrote.