IE7's security boost

Internet Explorer’s reputation for secure web browsing has taken a veritable bashing over the past few years. This, coupled with the success of Mozilla’s Firefox browser, which has been based largely on the belief that the open source browser is a more secure, has stung Microsoft into action. (The controversy surrounding Symantec’s rebuttal of Firefox's security claims is for another time.)

Microsoft is now working hard on the next version of its browser software, Internet Explorer 7, and a recent posting on Microsoft’s official development blog has revealed how IE7 will boost security by using stronger encryption.

The changes concern the way Internet Explorer 7, IE7, will handle HTTPs, which is used, particularly in ecommerce, as a way of ensuring Internet traffic is protected from snooping and tampering.

Internet Explorer 7 will drop the SSLv2 (Secure Socket Layer) protocol and use the stronger TLSv1 (Transport Layer Security) as the default HTTPs protocol settings. TLS currently exists only as an option in IE6.

Microsoft believes the impact on website owners should be minimal as only a "handful of sites left on the internet require SSLv2”, according to Eric Lawrence, an IE program manager. "Adding support for SSLv3 or TLSv1 to a website is generally a simple configuration change," he continued.

The change fits nicely with Microsoft’s “secure by default” software design ambitions but what changes will users notice in the way IE 7 handles security problems?

Lawrence says, IE7 will block users navigating to HTTPs sites that have untrusted, expired or revoked certificates. Upon encountering a certificate problem, IE7 will present an error page that explains the problem with the digital certificate.

Lawrence says you will be able to chose to ignore the warning (although this choice will not available if the certificate is revoked), but the address bar will floodfill with red to serve as a persistent notification of the problem.

In addition, you will no longer have the option of viewing both secure and nonsecure items on an HTTPs page, something Microsoft points out is a security risk because the user has no way of knowing what parts on the page were delivered securely, and what parts were not.

Of course technology is not a panacea to phishing and the other ills of the Internet. More users are learning to look for the padlock icon and https in the web address but phishers are cunning people. Just because a web connection is secure does not guarantee that a transaction taking place over that connection will be safe.

That’s why campaigns such as the UK government’s Get Safe Online campaign also have a vital role in helping users stay safe online.