SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

We’ve been talking for a long time about making sure IE7 is as secure as possible but still compatible with the Internet. The principle that helps us balance security and compatibility is to not impact existing websites unless we need to change IE to help protect end users. As we asked web developers and server administrators to make changes, they spoke frankly with us about what they could and what they couldn’t change. Today, we’ll look at a couple timely examples of how this principle played out in IE7.

1. Improved security to mitigate threats may impact some web sites

SSL 2.0 deprecated

One place we faced a tough decision was with SSL 2.0. Contrary to what we expected, SSL 2.0 is still in use on a number of web servers around the world. The problem is that if a site chooses to use SSL 2.0 an attacker could decrypt a transaction between IE and a SSL 2.0 web server. We’ve never heard any reports of SSL 2.0 sites or users being exploited but we decided to keep SSL 2.0 disabled in IE7 to protect users from that threat. When we did hear of web servers running SSL 2.0, we contacted server administrators about upgrading to newer servers.

It’s important that your web server admin upgrade from SSL 2.0 if you haven’t already. If for some reason you still need to use SSL 2.0, you can ask your users to re-enable SSL 2.0 on the advanced tab of the Internet options control panel.

Obsolete controls disabled through ActiveX opt-in

An important part of the ActiveX opt-in feature is doing good housekeeping of the ActiveX controls that come with Windows.  Many sites will benefit from IE7’s new native XMLHTTP control and sites can continue to use the MSXML 6.0 and 3.0 controls. The MSXML 5.0 control will not be enabled by default. The WMP 6.4 player is also disabled because its been replaced by the WMP 7+ generation controls. As we can infer from HD Moore’s month of browser bugs, using the newer controls and leaving older controls disabled helps reduce the chances of user being exposed to a security or stability issue in an older control.

Since this should be a straightforward change for most sites, we’re asking for your help in moving your pages towards the native object XMLHTTP, the latest version of MSXML or the newer WMP control. In the best case scenario, the change might be to simply swap in the native object for XMLHTTP or the newer CLSID for the current WMP control.

2. In many cases though, we can make security features that are still compatible with today’s web applications

Warning rather than blocking for mixed content for compat with web applications

Mixed content refers to a secure page, hosted over https that also includes unsecured http content. Since the plain http content isn’t protected with encryption, browsers have to warn users about the unencrypted content because it could be hijacked rewritten by an attacker. In practice, many websites still mix http content into https pages, typically to carry non-confidential information such as logo images.

In previous Betas of IE7, we blocked the unencrypted http content outright to give users the most secure default experience, to not even make users decide if they wanted the protection. Pages with mixed content showed the information bar and the http content simply didn’t come through unless the user clicked the information bar to reload the full page. We’ve spoken with many major commercial websites and explained the problem with the user experience. As a result you should see many fewer sites hosting mixed content.

At the same time, many of today’s blog publishing packages depend on the ability to mix http content into an https-based outer page. Blocking the plain http content on page load forced the blogger to reload the page and many folks lost draft posts. Getting updated blog software isn’t an easy task and blogging is now common practice for folks who aren’t necessarily part-timing as web server admins.

Because mixed content is important for some web applications, and straightforward fixes are not always available, we made a hard decision to revert to the warning prompt for mixed content in RC1. That means your banking site, your blog software or other secure site might show a modal prompt for mixed content as they did in IE6.

The responsibility for using mixed content wisely, if needed, rests on web developers and web server admins. We still hope to address to the mixed content prompt in a future release. As TLS improves the performance and economy of HTTPS web servers, we hope the industry can move away from mixed content all together.

TLS 1.0 can fall back to SSL 3.0 for compatibility with legacy web servers

One of the new features in Windows Vista is support for TLS 1.0 extensions. Web servers that support TLS extensions open up new scenarios in HTTPS like the ability to have multiple hosts on a single server and will allow servers and clients to negotiate more secure connections with improved performance. The problem we found is that some legacy web servers will simply reject connections that include a TLS 1.0 extension. Server patches are usually available to correct this problem but those patches need to be deployed extensively and that can take time.

Rather than have end users locked out of important websites because of TLS extensions, we worked with the Windows Networking team on a simple fallback mechanism that will allow the legacy servers to keep working. In the final RTM version of Windows Vista, if the server hangs up the connection after IE sent TLS extensions, IE will simply retry the connection using SSL 3. SSL 3 remains a secure fallback and we found the workaround to be effective.  Server operators should still ensure that they are running the latest updates on their servers for best performance.

Thanks,

Rob Franco
Lead Program Manager

edit:  adjustment in title

Comments

  • Anonymous
    October 18, 2006
    At what time can we expect Final to be released by Microsoft?  Yahoo has already released their optimized version for Final!

  • Anonymous
    October 18, 2006
    The comment has been removed

  • Anonymous
    October 18, 2006
    And I live in Germany. Here it's now 8pm but in Redmond it's 11am (nearly 13 hours remaining, until October, 11th ;-)). Web.de and some other pages say, that the IE7 is already released - but always with the "warning" that IE7 RC1 only works on XP SP2. So, this isn't the final, is it? Why do they tell "lies"? That's stupid. OK, let's wait... Maybe Bill Gates is sleeping until 12pm :-/ Grettings from Germany F. Gaertner

  • Anonymous
    October 18, 2006
    As I always said: the testers are the last to get the products. When I was testing Windows Vista there were situations where you could get working Vista from some illegal server or wait days before it appears on connect. Now we see how important for Microsoft Yahoo users are. They are much more important than Microsoft customers. I know this strategy. You do everything to attract new customers while forgetting about their existing customers. ("They are already our customers. They are unlikely to run away.")

  • Anonymous
    October 18, 2006
    Will you include a registry setting to change the handling of mixed content from the default to the more secure method you reverted from with RC1?

  • Anonymous
    October 18, 2006
    IE 7 is out. Yahoo is bundling it here. You can manually unbundle it and just get IE 7 if needed. http://downloads.yahoo.com/internetexplorer/index.php

  • Anonymous
    October 18, 2006
    You can download the Yahoo version, then using WinRAR extract the IE7 setup, without the branding. But I would rather wait for the offical version.

  • Anonymous
    October 18, 2006
    Weird. I would have thought that Microsoft wouldn't let any third parties release it's browser until after it had already official released it.

  • Anonymous
    October 18, 2006
    The comment has been removed

  • Anonymous
    October 18, 2006
    I have to agree with the last post . But then i like the fact that yahoo as it on there website for full download . But like this last post was saying . I'm going to just wait for it in the windows updates.

  • Anonymous
    October 18, 2006
    I usually type IEblog in the title bar to get the site, but now it goes to ieblog.com and incorporates your content. Anyhow, no change of getting the "height=100% inside a TD bug" fixed, eh? Sigh..

  • Anonymous
    October 18, 2006
    I know this is offtopic, but is there anyway way to slipstream IE7 into an XP SP2 installation CD? The normal methods don't work for me (using the /integrate or -s switch). Nice work on IE7, I love it! I seem to be in the minority lol. -Singh400

  • Anonymous
    October 18, 2006
    I want to compliment everyone involved in the development of IE7. It is a vast improvement. You, and the rest of MS, also deserve praise for the openness shown through the involvement of the public in the betas and the open blogs. But it's just for those reasons why I am disappointed that I had to get the final version of IE7 through Yahoo and there was not a single mention of it on this page. Despite this gaffe, please keep up the openness (and suggest to the Vista team that they reopen the RC2 program to everyone who had been sent a product code).

  • Anonymous
    October 18, 2006
    IEBlog : SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility Obsolete controls disabled through ActiveX opt-in An important part of the ActiveX opt-in feature is doing good housekeeping of the ActiveX controls that..

  • Anonymous
    October 18, 2006
    x64 version? I can get the 32-bit final from the yahoo file, as mentioned, but whither the x64?

  • Anonymous
    October 18, 2006
    The comment has been removed

  • Anonymous
    October 18, 2006
    I know this if off topic, but after IE7 goes out, it would be great if you could package up IE6 as a single standalone file so we can do testing on it. I know the only supported method is to use VPC (which is now free), but for those of us that do not work at Microsoft, we don't have original XP discs around. My 7 month old HP came with disks that will only work with their own machines, and VPC doesn't fake that part, so the only way for me (or anyone else) to have both IE6 and IE7 is to buy another copy of Windows. Want to send me a copy?

  • Anonymous
    October 18, 2006
    If you already had the release candidate, Yahoo's installer first rolls back to IE6; you have to then run the Yahoo installer again to get their customized version.

  • Anonymous
    October 18, 2006
    http://browsers.evolt.org/?ie/32bit/standalone

  • Anonymous
    October 18, 2006
    ....as secure as possible but still compatible with the "Internet". What? I'm tempted to make /. style comment, but won't. Read. Edit. Post.

  • Anonymous
    October 18, 2006
    @Lewis Francis   That was strange, the version was still showing IE7. /Thats what I get.

  • Anonymous
    October 18, 2006
    The comment has been removed

  • Anonymous
    October 18, 2006
    Thiking that they'll post here on IEblog when IE7 comes out was stupid. Go, get it at MS site. Cry looking at crushing browser with unfixed bugs. Rememer: "That's what you have asked for."

  • Anonymous
    October 18, 2006
    Ha-ha As I thought. No improvement. All the bugs are still there. Broken unicode (Win95 era anyone?) etc etc etc Almost forgot. Despite the bugs on connect are often closed "randomly" there are still more than 1700 bugs. !!! It's much more than in Windows Vista. Compare the sizes. 1 bug for every 8kb of the installer. And to think how many important bugs were closed "just because"... Overall I'm very disappointed with IE7 beta process. It looked like war between IE users/testers/web-developers vs. MS&IE7 team. Testers open bugs - MS closes them. Who wins?

  • Anonymous
    October 18, 2006
    It's still the RC1 on the MS site.

  • Anonymous
    October 18, 2006
    I think this page links to RTM. Can't confirm because it says I already have IE7. http://www.microsoft.com/windows/ie/default.mspx

  • Anonymous
    October 18, 2006
    http://go.microsoft.com/fwlink/?LinkId=74211 you can get it here. But I will get TruE IE7 here: http://maxthon.neo101.nl/featureguide/maxthon2newFeatures.html

  • Anonymous
    October 18, 2006
    You're right it is up now. I've just been putting IE7 into my search engine and RC1 page had always been the first page up but going through microsoft.com I see the final version is available now.

  • Anonymous
    October 18, 2006
    I trust MICROSOFT with my security because they care about what I search for; unannounced connections (picked up by my non-Microsoft firewall) connecting to sa.windows.com in Windows XP everytime I do a LOCAL search on my drive, they show they care in their own special way!!! I love Microsoft!!!! I am sure IE7 has the my best interests at heart and strikes the RIGHT balance where others have come & failed!!!!! Remember only Microsoft can protect us on the net. IE7 makes that possible!!!!

  • Anonymous
    October 19, 2006
    @Goose: The sa.windows.com request returns an XML file about search providers.   If you're curious to see the data, you can view it in Fiddler, a free HTTP monitor available from  www.fiddlertool.com.

  • Anonymous
    October 20, 2006
    Quite a bit has been written about the Secure Sockets Layer (SSL) protocol and its successor Transport

  • Anonymous
    October 20, 2006
    But seriously, anyone have info about slipstreaming ie7 into an xpsp2 install?  not that I'm chomping at the bit to turn the world over to Microsoft, but i'm repacking my unattended install and figure this would make a good side project.  is the genuine authentication cr** that holds up the switches?  

  • Anonymous
    October 20, 2006
    Jeff, IE7 cannot be slipstreamed into XPSP2.  For deployments, you have to boot into XP, install IE7, and then use sysprep to repackage the machine or an imaging solution. Thanks. John [MSFT]

  • Anonymous
    October 21, 2006
    @John (MSFT) Ah so.....thank you :-)

  • Anonymous
    October 23, 2006
    I’ve been working closely with the IE team leading up to the release of IE7 and looking at the use of

  • Anonymous
    October 24, 2006
    The comment has been removed

  • Anonymous
    October 24, 2006
    @PSchuetz: Perhaps you might want to read the article again.  The entire point is that there are cases where there's no ready workaround for mixed content: <<many of today’s blog publishing packages depend on the ability to mix http content into an https-based outer page.>> <<straightforward fixes are not always available>> In this particular case, there's a very easy workaround: Don't use HTTPS to access the IEBlog.  There's no private data here, and hence using HTTPS just results in wasted cycles and overhead.

  • Anonymous
    October 27, 2006
    Some of you may have noticed the following goldbar on some websites: Our friend Adam on the XML team

  • Anonymous
    October 27, 2006
    Hi there, I don't understand what Microsoft's deal is with that popup of mixed content. Mixed content is ok. There is nothing wrong with having some mixed content, like css, js, images. Where there is a problem is when FORMS are submitted using a http address when a user navigated to a https url. A user does not know that the content that is being submitted is submitted "unsecurely". This is when a message needs to be displayed.  Poping up that message when an image like your logo is on http not logical. It's like saying I'm going to secure my house by putting a lock on the front door. Now everything I access must have a lock, why would you need to lock everything in your house if the front door is locked?  Secondly, for a site to be secure in needs to be, I stress again, needs to be both https and have an authentication system on each entry point. Meaning, if you are going to use ssl on a site you must have authentication validation on it's entry points. Just having authentication is not enough when you are running on http and just having ssl on you urls is not enough. Someone can still access your information.   That's my idea, I hope they change it because right not it just doesn't make sense to me.

  • Anonymous
    October 27, 2006
    @Billy: You should read http://blogs.msdn.com/ie/archive/2005/04/20/410240.aspx The danger of mixing insecure JS into HTTPS is that a man-in-the-middle could replace the insecure HTTP script with script of his choosing.  Javascript can completely rewrite the page, meaning that it's no longer secure.

  • Anonymous
    October 27, 2006
    @EricLaw Ok, I didn't think of that. However, the message is too scary for "regular" users. As you point out there are two vulnerabilities. The html page and the javascript, these are the things that need to be secure, when they are not then popup the message. What about the images and the css and other content that can't rewrite the page, are they vulnerable for attack? Thanks for the link

  • Anonymous
    October 27, 2006
    Is there a quick way to determine which elements on the page are not secure? I am maintaining a site developed by someone else. The forms have mixed content (according to IE). I would like users to not get the warning pop-up.

  • Anonymous
    October 27, 2006
    @Beeszus9: In some cases, you can determine what's insecure by simply clicking "No" to mixed content and determining what content is missing.  The more rigorous approach is to use Fiddler (www.fiddlertool.com), and watch for the HTTP requests. @Billy: Well, CSS can materially alter the display of a page, and while images can't rewrite the page, they can be used to fool the user.  The problem is that the browser has no way of knowing "Hey, this image is meaningless and it doesn't matter if a bad guy tampers with it" vs "This image is a snapshot of the user's stock portfolio, and if a bad guy were to tamper with it, the user may take an unsafe action (e.g. selling all of his stock or whatnot). Mixing insecure content into HTTPS pages simply is not safe.

  • Anonymous
    October 29, 2006
    Promotion on Microsoft 7 Looked intresting, did not research SSL TLS Etc enough to give an openion. Anxious to find out where my end will end UP. Frank

  • Anonymous
    October 29, 2006
    I really dont know how to respond to no responces. Never had any experiances talking to people with Cronic LockJaw and very poor writing instructions. I am here because of having a Deep intrest in what makes things work and how i may make them better and boredom of retirement. Should you Folks ever deside to come out of the Closit, i would be pleased to Know what your plans are. I think you have been FUNNING me about my Micro's so we don't have to worry about that Issue. The BLUE Grass Pastures are the best and where I need to be.   Frank

  • Anonymous
    June 24, 2008
    This blog post frames our approach in IE8 for delivering trustworthy browsing. The topic is complicated

  • Anonymous
    November 03, 2008
    The comment has been removed

  • Anonymous
    November 03, 2008
    The comment has been removed

  • Anonymous
    November 04, 2008
    The comment has been removed

  • Anonymous
    March 16, 2009
    안녕하세요! 저는 인터넷 익스플로러 보안 프로그램의 책임자인 에릭 로렌스라고 합니다. 지난 화요일, 딘(Dean)이 신뢰성 높은 브라우저 에 대한 저희의 생각을 포스팅했었죠. 오늘