IE7 at RSA San Francisco
Back in November, we announced our intention to bring Extended Validation SSL Certificates to IE7. This week at RSA we’ve announced that IE7’s EV SSL support is now live! Many Certification Authorities (CAs), including VeriSign, CyberTrust, Entrust and GoDaddy, are already issuing EV SSL Certificates. We are already seeing businesses such as eBay, PayPal, Charles Schwab, Overstock.com , French Soaps and Stardock) beginning to use EV to offer verified identity information to their users. I recently read a Gartner Inc. survey that discovered nearly $2 billion were lost in e-commerce sales in 2006 due to security concerns – we certainly hope that IE7 and EV will help to reduce that number.
As EV enters the mainstream, users will need to find out more about these new certificates and how to use them when navigating the internet. We have posted new information on Extended Validation SSL (and FAQ), a tutorial on how to use the information presented in the Security Status Bar, and updated our online safety and identity theft guidance to take EV into account. Website owners who want to offer EV will be interested in our IE7 EV Implementation Guide.
Two years ago, Bill Gates announced IE7 at RSA highlighting the Phishing Filter as one of its major features. Today, at RSA, we reported updated results on the Phishing Filter. Since IE7 launched in October, the Phishing Filter has blocked more than 10 million attempts to visit known phishing websites – and is currently experiencing a rate of over 1 million blocks a week. IE7 users and our data providers are adding nearly 10,000 Phishing sites every week to help protect our community of users.
In addition to the 3 Sharp LLC analysis we commissioned a while back, Carnegie-Mellon University’s Dr. Lorrie Cranor and her colleagues updated their independent, comparative study on anti-phishing toolbar accuracy last month, confirming that the Phishing Filter in IE7 is one of the most accurate anti-phishing technologies they tested. It was the only one that consistently caught more than 60% of phishing sites while having the lowest possible rates of incorrect ratings (otherwise known as false positives) .
We are continuing to improve the phishing filter. At RSA we announced 4 new Phishing Filter data providers: the Australian Computer Emergency Response Team (AusCERT), BrandProtect, MySpace.com, and Netcraft’s data from their anti-phishing toolbar (both IE and Firefox) . Together with our current partners (Cyveillance, Digital Resolve, Internet Identity, Mark Monitor, RSA) and our IE7 users, who continue to report great leads to us, we hope this will continue to improve the effectiveness of our Phishing Filter.
If you are at RSA, make sure and check out the IE Pod (#16) in the Microsoft booth (#1208).
Jeremy Dallman
IE Program Manager
Comments
Anonymous
February 06, 2007
@ Jeremy Dallman Have you ever noticed how IE7 no longer provides you any information about an untrusted certificate (ie: self-signed) before accepting it ? File -> Properties -> Certificates = Error message saying no certificate is present.Anonymous
February 06, 2007
@ Jeremy Dallman (Sorry for the double post) It would also seem that if you install the 'bad' certificate the bar stays red until you restart IE7?Anonymous
February 06, 2007
The comment has been removedAnonymous
February 06, 2007
As I have noted a couple of times over the past couple of days, IE7 Extended Validation has gone live:Anonymous
February 06, 2007
Strange, my address bar doesn't turn green when visiting those sites, not even when I turn on the automatic phishing filter. In fact, when I visit the Woodgrove Bank demonstration site, it turns red, because I haven't accepted the certificate authority. Is this normal behavior - I seem to recall Extended Validation not being enabled yet, but I thought it would be fully functioning in february 2007? What error am I making? The certificate does say "Extended Validation" in it.Anonymous
February 06, 2007
TMaster: I assume you're using Windows XP? Try visiting https://www.verisign.com first.Anonymous
February 06, 2007
Since we have downloaded the new EI7 last year there is just trouble - error msgs, pages not responding, everything is slow. on our other laptop we kept the EI6 and all is perfect. can we go back from EI 7 to EI 6 on our PC? thank youAnonymous
February 06, 2007
Taking research from Gartner at face value is NOT wise advice.Anonymous
February 06, 2007
This is such a cool story. Two years ago, Bill Gates announced IE7 at RSA highlighting the Phishing FilterAnonymous
February 06, 2007
Tmaster, You need to turn on your phishing filter, and set it to automatic, and ensure server certificate revocation checking is not turned off, to see the green bar. The red certificate at Woodgrove is to be expected; the testing certificate was not issued by a trusted authority, that is, it was issued by "Microsoft Enhanced Validation Testing PCA". To see the list of trusted authorities, go to tools, internet options, content tab, certificates button, trusted root certification authorities. SandiAnonymous
February 06, 2007
I faced 2 Problems with IE 7
- First time when I enter any domain name and press Ctrl+Enter IE7 hangs for almost 30 sec.
- If I sign into multiple sites using tabs and logout from any of the sites, I get logged out from all other sites. may be a cookie problem..i guess!??
Anonymous
February 06, 2007
Today, Bill Gates and Craig Mundie keynoted the RSA Conference 2007 and announced a variety of security related Microsoft initiatives. Perhaps the biggest news was announced in detail on the blog of Microsoft’s Kim Cameron where Microsoft p...Anonymous
February 06, 2007
@Sandi: Actually, ~either~ setting the Phishing Filter to Automatic ~OR~ enabling Server Certificate Revocation Checking is sufficient. @AK: Do you see the delay if you type the "http://" before the domain name? What sites are you logging out of? Logging out of some sites (like Outlook Web Access) will clear your session cookies.Anonymous
February 06, 2007
What I don't get is why the need for EV certs? If the existing certificates are being issued to anyone who asks for them without any verification wouldn't the fix to that problem be to start validating cert requests? EV certs are basically an acknowledgment of the fact that regular certs are not trustworthy. As such, those shouldn't be trusted at all.Anonymous
February 06, 2007
are u sure a GREEN address shows up when navigates to websites like Verisign in WinXP?Anonymous
February 06, 2007
The comment has been removedAnonymous
February 06, 2007
@IE team It would be nice if you could add a new SecureLockIconConstant identifying EV SSL connections to the DWebBrowserEvents2::SetSecureLockIcon event so that security add-ons for IE can take advantage of the new EV certificates as well. Regarding UI flickering: The status bar and the small edge between the tab bar and the actual Web content frame still flickers if switching tabs. Any plans on allowing us to report bugs we find in IE again? The connect bug database was a good approach, but was unfortunately turned off after RTM. Besides, congratulations on launching Vista and EV SSL.Anonymous
February 06, 2007
Since I installed IE7 I have had MAJOR hiccups of one kind or another....... now it won't even load up pages of ANY sort........... I am on Windows XP (home) and do NOT intend to go over to VISTA because it is a wannabe MAC platform and I should have gone Mac instead of staying with windows because it just keeps crashing and crashing and hanging and hanging! I don't know way there is a new UNimproved version of IE for non techies..........Anonymous
February 07, 2007
How can the Go button (used with the Address Bar on the Taskbar) be removed now that the option to remove it is no longer included with IE7 Advanced Options? I've already done a few searches of the registry with no success. I'm using XP Pro with IE7 (/w latest updates).Anonymous
February 07, 2007
The comment has been removedAnonymous
February 07, 2007
The comment has been removedAnonymous
February 07, 2007
I found a very tiny bug in the Address Bar when using EV SSL Certificates, see the image at this url (nevermind the JPEG-corruption): http://swb.alex-media.nl/photos/C11184B4-C845-E8B2-EB1F-CD4394DB6A82.jpg What you're looking at: the company name should be 'Charles Schwab & Co., Inc. [US]'. You see: 'Charles Schwab _Co., Inc. [US]' The problem is caused by the company name having an ampersand in it. It is displayed as a _ because that's Windows mnemonic-key. When you click on the icon, the correct company name is displayed.Anonymous
February 07, 2007
Sandi, thank you! I wasn't so much surprised the Woodgrove Bank side had a red bar, it made sense to me, since I knew it was self-signed. Sorry if I didn't make this clear. However, your comment that the certificate revocation has to be enabled solved the problem for me. I doubt this is the default setting anyway, I just cannot remember turning it off. I guess this was an obvious case of PEBKAC. And thanks to Eric for the reply as well =)Anonymous
February 07, 2007
Atât oprește Phishing Filter-ul din IE7 . De la lansarea lui în octombrie, Internet Explorer 7 a blocatAnonymous
February 08, 2007
@Alex: Nice catch, and your analysis is spot on. This bug was only discovered after we shipped IE7; we'll be fixing it in a future version.Anonymous
June 12, 2007
I’ve talked several times in the past about Extended Validation SSL certificates and how they are a great
