There’s something about using the words Security and Internet Explorer in the same sentence that tends to make administrators want to laugh. Perhaps it’s the fact that prior to Windows XP Service Pack 2, security in Internet Explorer 6 was pretty much non existent. Windows XP Service Pack 2 took care of some of Internet Explorer’s security issues, but security was still mediocre at best. In Internet Explorer 7 though, Microsoft seems to have addressed many of the security issues that have plagued Internet Explorer for the last decade. Of course only time will tell if Internet Explorer 7 is really secure or not, but in this article I want to introduce you to some of the new Internet Explorer security features.
Goodbye to SSL 2.0
In Internet Explorer 6, when a user visits a site that requires HTTPS encryption, it uses SSL 2.0 to encrypt the session by default, but the user has the option of manually switching to TLS instead, which is more secure. In Internet Explorer 7, Microsoft will no longer support SSL 2.0. This means that some Web sites will have to be recoded, but many industry analysts speculate that there aren’t many Web sites that absolutely require SSL 2.0 and do not support TLS.
Secure By Default?
Another HTTPS related change involves the way that Internet Explorer responds when it encounters a Web page that is encrypted by HTTPS, but that also contains HTTP content. When Internet Explorer 6 encounters such a page, it asks the user if they would like to display both secure and insecure items on the page. Since most users don’t fully understand the potential consequences of displaying insecure data within a secure Web page, Internet Explorer 7 will do away with this option and will only display secure content within pages being accessed via HTTPS.
Security Zone Changes
For years now, Internet Explorer has supported the use of security zones. The idea behind security zones is that some Web sites are more trustworthy than others. For example, if you have a corporate Intranet set up, you probably fully trust your own server not to be feeding your workstations malicious content. However, you probably don’t trust most random Web sites.
Because of this Microsoft created security zones. Security zones have been a part of Internet Explorer for many years. They include Internet, local Intranet, trusted sites, and restricted sites. The basic idea is that a Web site can be classified as belonging to one of these four zones, and Internet Explorer will limit its permissions accordingly. For example, if a site is placed into the restricted sites zone, the user can visit the site, but Internet Explorer won’t attempt to install Active X controls from the site and will not run any scripts that might exist on the site. On the other hand, if a site is listed as being a part of the local Intranet, there are fewer restrictions placed on it. There are a few restrictions regarding the use of Active X controls (particularly unsigned Active X controls), but aside from that the site is free to execute without hindrance from the browser.
There is one major change to the way that zones work in Internet Explorer 7. One of the summer interns at Microsoft came up with the idea that most home users don’t have an intranet in place and that the Intranet zone should be removed. The reasoning behind this is that the local Intranet zone is an area in which approved Web sites can run with fewer permissions. Since most home users don’t have a local Intranet, the local Intranet zone isn’t really serving a purpose other than to act as a place where malicious Web sites could potentially execute with fewer restrictions.
Microsoft liked the idea and designed Internet Explorer 7 so that it checks to see if the user’s computer is connected to a domain. If the computer is a part of a domain, then the local Intranet zone works the same way that it always has. If it isn’t a part of a domain though, then Internet Explorer assumes that the machine belongs to a home user and disables the local Intranet zone.
One of the best new security features in Internet Explorer 7 is the phishing filter. Phishing has become a huge problem over the last couple of years. There are a wide variety of phishing scams out there, but one of the most common involves fraudulent E-mail messages. Typically, the person who is performing the phishing scam will send out an E-mail message that appears to be from your bank and asks you to log into your account for some reason (usually to verify that your balance is correct). The E-mail will then contain a link to your bank’s Web site.
On the surface, the Web link looks perfectly legitimate, but the E-mail message is designed so that the site that the link actually connects to is not the same site as the link displays. For example, the link might look like http://www.mybank.com, but the actual underlying code would take you to http://188.8.131.52 instead. The IP address that the link takes you to would then be a Web server that is set up to look and feel exactly like your bank’s Web server. This Web server’s job is to present you with a login prompt. When you log in, the site logs (steals) your account number and password, and then redirects you to your bank’s real Web site. Most of the time, user’s simply think that they have typed in their password incorrectly, and never realize that they have just handed over their account number and password to a thief until their account gets cleaned out.
The phishing filter is designed to protect against this sort of activity. Assuming that you have chosen to enable the phishing filter, it will analyze any URLs that you visit to make sure that they are legitimate Web sites and not phishing sites.
For example, suppose that you clicked on a link in an E-mail that took you to http://184.108.40.206/result.aspx?id=4. The first thing that the phishing filter would do is to strip off the question mark and anything following it. In ASP, the question mark is used as a mechanism for passing variables from one Web page to another. Since these variables could potentially contain personal information and do nothing to prove or disprove the site’s legitimacy, they are stripped away. In this case, that would leave the URL string http://220.127.116.11/result.aspx
The phishing filter will then compare this URL against a list of sites that are known to be legitimate. In this case, the URL looks suspiciously like a phishing site, but in actuality it is simply using an IP address rather than a domain name to go to MSN. Since MSN is a legitimate site, this URL would be OK. If this URL were not listed as a legitimate site though, the phishing filter would use a list of known phishing sites and if necessary, some heuristic techniques to determine whether or not the site was legitimate. Once the filter has made a determination as to the site’s authenticity, the user will see a message warning that this is a known phishing site, a warning that this might be a phishing site, or if the site is legitimate, the user won’t see anything out of the ordinary.
Only time will tell if Internet Explorer 7 is really secure or not. At the moment, Internet Explorer 7 and Windows Vista are still in beta testing, so they have not really been exposed to the scrutiny that Internet Explorer 6 has been. I have seen a few unconfirmed reports of people being able to exploit weaknesses in Internet Explorer 7, but even if those reports are true, Internet Explorer 7 is still in beta testing and there are bound to be some bugs.