Security and Compatibility with IE7

One of the biggest challenges in making software more secure is maintaining compatibility with the existing functionality that customers depend on.  We’re here at the RSA security conference in Silicon Valley to work with other software and security professionals to meet our customers’ expectations for safety and compatibility. While we have taken a great deal of care to preserve compatibility, the new security features in Internet Explorer 7 do change the way platform works and only testing with your products can gauge the impact and investment you may need to make to be fully compatible with IE7.

For the IE7 Beta preview for XP SP2, we prepared preview documentation and a preliminary compatibility tool to help developers analyze and address the most difficult compatibility and security problems posed by IE7 for web sites and browser extensions. More documentation will follow for other security features, but we are releasing the documents for the most challenging security features first. This will give you the maximum time for testing and remediation of any issues you find.

One or more of the security enhancements in IE7 may require an update in your code. The most notable changes include:

• "Protected Mode" for Windows Vista will run Internet Explorer with restrictions that help prevent attackers from using vulnerabilities to install malware or otherwise damage a user’s system. At the same time, Protected Mode restricts Internet Explorer itself and will restrict extensions run in Internet Explorer. It is possible that that you will need to update your extension to be compatible with Protected Mode.
• "ActiveX opt-in" will disable most ActiveX controls on the system. If your ActiveX control needs to be enabled by default, we have put together a set of ActiveX best practices to help you understand how to make it safe enough to be used on the internet and enable it for use with IE7.
• IE7 has more secure defaults for SSL. IE7 will disable SSLv2, enable TLSv1, block non-secure http content in secure https pages, and block navigation to sites that have SSL certificate errors.
• We rebuilt critical code paths for URL parsing and Cross Domain security using new best practices for secure software development. Your website or application may need to be updated if it relies on a non-standard URL syntax. The compatibility tool will help you test for these problems.
• We have retired a number of rarely-used legacy features from the product to reduce attack surface. The removal of these features may require you to update your website or your application. Please refer to the IE7 Beta preview release notes for the list of removed features.

Besides ensuring compatibility, Website Developers and Software Developers can take advantage of IE’s security features to help users feel more confident while they browse your site or download your code:

• IE7 includes an enhanced experience for sites that include upcoming higher assurance SSL certificates including the lock icon with a green filled address bar. Along with other browsers, the Certificate authority industry is working with us towards a tougher SSL standard for the enhanced experience. This past Sunday and Monday, we met to work on the standard with the American Bar Association here in San Jose. The certificate authorities who coolaborated with us this weekend include Geotrust, Verisign, Identrus, Comodo, Cybertrust, Go Daddy and X-Ramp.  To see what the experience will be like, you can try out the enhanced experience by downloading a test root certificate and then visiting our demo site using IE7 Beta 2 Preview. If you think your site should have this experience, contact your certificate authority to learn about their plans to offer higher assurance SSL certificates that will be recognized by the IE7 address bar.
• In the upcoming Beta 2 release, IE7 will let users sign into web sites using visual "InfoCards" rather than passwords.  This eliminates a number of common attacks because when no password is typed, there is none to be stolen (and none to forget).  The "InfoCard" system uses certificates to make it harder for imposter sites to pass themselves off as genuine.
• IE7 checks the signatures on downloaded programs such as ActiveX controls and executables to make it easy for customers to identify your code. If you distribute software over the internet, you should sign your code with a valid code signing certificate.

We’ve already had the chance to work with engineers from companies like Adobe, Real Networks and many others. We found that our colleagues at these other companies are just as passionate about security as we are. We hope you’ll take this opportunity to work with us towards a safer experience for our mutual customers. We look forward to your feedback during this process and getting to know you better along the way!

 - Rob Franco