This blog is closed as of 2/2015. @EricLaw left Microsoft in 2012, but was named an IE MVP in '13 & an IE userAgent (http://useragents.ie) in '14.
Translate This Page
Translate this page
Browse by Tags
Tagged Content List
HTTPS In 2015
Last week at the CodeMash conference, I delivered a session titled HTTPS in 2015 : Securing your websites and services using HTTPS has never been more important, or more complicated. In this talk, a former browser Security Program Manager covers the best practices for using HTTPS today. Topics...
16 Jan 2015
Internet Explorer 11 and Perfect-Forward-Secrecy
In case you missed it, the recent Windows 8.1 Update update adds four new ciphersuites (including two supported by Chrome32) and changes the ciphersuite order to prefer algorithms that offer Perfect-Forward-Secrecy. You can read more about this update here. Wikipedia has a nice article on PFS , but...
11 Apr 2014
There’s never magic, but plenty of butterfly effects
I’ve always enjoyed magic shows, but I’ve never attempted to understand how the tricks are performed, since that would take all of the fun out of them. In contrast, if I see a web browser demonstrating seemingly magical behavior or misbehavior , I find it hard to sleep until I figure out...
26 Feb 2014
“Continue” Link Missing from Certificate Error Page?
A user recently reported that IE11 wasn’t showing the “Continue” link on the certificate error page shown when visiting their 2009-era router’s configuration UI. They were curious why that link wasn’t shown in this instance. The error page’s Continue link is hidden...
12 Dec 2013
Authenticode, HTTPS, and Weak RSA Keys
Over on the Microsoft PKI blog , there’s some important information about upcoming changes for website operators who use HTTPS or deploy Authenticode-signed applications or ActiveX controls. Weak RSA Keys Blocked To briefly summarize the PKI team’s post, a security update coming to...
13 Jun 2012
Avoid “Do not save encrypted pages to disk”
Internet Explorer has an Advanced option named Do not save encrypted pages to disk . By default, this option is unchecked (except for Windows Server systems) and I recommend you leave it that way. In IE9, this option does exactly what it says it does—resources received from HTTPS URLs...
6 May 2011
These days, I struggle to find time to keep up with all of the tech news, but there are a few streams I make a special effort to stay on top of. Ex-Internet Explorer Dave Risney posts items of interest about URIs, web standards, FiddlerCore and myriad other interesting goodies over on his blog . ...
30 Apr 2011
Understanding Certificate Revocation Checks
Recently, there’s been some interest in how clients perform Certificate Revocation checks and browsers behave in the event that a revocation check cannot be completed. In today’s post, I’ll explain Internet Explorer’s default behavior and explain how you may change the default...
7 Apr 2011
HTTPS and Keep-Alive Connections
As we explore network performance on the “real-world web”, one bad pattern in particular keeps recurring, and it’s not something that our many IE9 Networking Performance Improvements alone will resolve. The bad pattern is the use of Connection: close semantics for HTTPS connections...
26 Mar 2011
Misbehaving HTTPS Servers impair TLS 1.1 and TLS 1.2
Back in the summer of 2009, I blogged about Windows 7’s new support for TLS 1.1 and TLS 1.2 . These new protocols are disabled by default, but can be enabled using Group Policy or the Advanced Tab of the Internet Control Panel: Some adventurous Internet Explorer users have found that...
24 Mar 2011
The Hazards of Relying upon Browser Quirks
While many web developers find subtle browser behaviors baffling, often browser developers are bewildered by web content. Yesterday, we ran into an interesting site compatibility problem that occurs in the latest internal version of IE9. The site in question is a popular site which uses a Flash applet...
22 Sep 2010
HTTPS Caching and Internet Explorer
From time-to-time, I get questions about Internet Explorer’s behavior when it comes to caching of HTTPS-delivered content. It comes as a surprise to many that by-default, all versions of Internet Explorer will cache HTTPS content so long as the caching headers allow it . If a resource is sent...
21 Apr 2010
AES is not a valid cipher for SSLv3
A Windows 7 user of Fiddler encountered an interesting error this morning, and it reminded me of an interesting HTTPS compatibility problem we found in the Windows Vista timeframe. The user is trying to visit https://www.atsenergo.ru with Fiddler running in HTTPS-decryption mode. Fiddler uses the...
8 Dec 2009
Understanding Certificate Name Mismatches
Recently, I received a query from the Windows Mobile team-- they had observed that visiting https://gmail.com triggers a certificate name mismatch error on IEMobile, but doesn’t seem to trigger any error on Windows 7 when using the desktop versions of Internet Explorer or Firefox. Now, long-time readers...
7 Dec 2009
Internet Explorer Cannot Download https://something
Earlier today, I was asked to troubleshoot a secure site where file downloads were always failing . Having seen this problem many times often over the years, I immediately suspected that the web developer wasn’t aware that if a user tries to download * a file over a HTTPS connection, any...
2 Oct 2009
Client Certificate Selection Prompt
The HTTPS protocol allows a secure server to request that the client verify their identity with a client certificate during the initial secure handshake. By presenting a client certificate, the browser helps further defeat man-in-the-middle attacks and authenticates to the web server more securely than...
2 Sep 2009
Getting the Server's Certificate Chain from WinINET
Over the last few years, a number of folks have lamented that there's no good way to get the server's complete certificate chain from a WinINET HTTP response. That has changed with the release of the new WinINET shipping in Windows 7 / IE8. INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT is a new flag you...
20 Aug 2009
Handling Mixed (HTTPS/HTTPS) Content
Update: IE9 includes improved handling of Mixed Content. Click to learn more... Background As we developed Internet Explorer 8, we spent quite a bit of time pondering what to do about IE7’s infamous “Mixed Content” warning prompt: As I noted on the IEBlog four years...
22 Jun 2009
Windows 7 adds support for TLSv1.1 and TLSv1.2
Windows 7's updated crypto stack (schannel.dll, etc) offers support for TLSv1.1 and TLSv1.2. While disabled by default in IE8 (for compatibility reasons; some legacy sites will fail to connect when the updated TLS version is offered) the new protocol versions can be enabled by checking the appropriate...
19 Jun 2009
Page 1 of 1 (19 items)
© 2015 Microsoft Corporation.
Privacy & Cookies