IEInternals

A look at Internet Explorer from the inside out. @EricLaw left Microsoft in 2012, but was named an IE MVP in '13 & an IE userAgent (http://useragents.ie) in '14

Browse by Tags

Tagged Content List
  • Blog Post: Internet Explorer 11 and Perfect-Forward-Secrecy

    In case you missed it, the recent Windows 8.1 Update update adds four new ciphersuites (including two supported by Chrome32) and changes the ciphersuite order to prefer algorithms that offer Perfect-Forward-Secrecy. You can read more about this update here. Wikipedia has a nice article on PFS , but...
  • Blog Post: Windows Server as a Workstation

    Back in the Windows 2003 timeframe, Microsoft had a problem. The security press of the time liked to put out charts showing which operating systems had the most vulnerabilities. Windows 2000 wasn’t looking so hot, owing to the fact that Windows 2000 Server had a full web browser built-in, “out...
  • Blog Post: Same Origin Policy Part 0: Origins

    Recently, someone asked a pretty simple question: “ Why doesn’t IE consider the port when evaluating Same Origin Policy? ” and I realized that my Same-Origin-Policy series lacks an in-depth look at the concepts surrounding origins . Table of Contents: Same Origin Policy Posts ...
  • Blog Post: Browser Arcana: IP Literals in URLs

    While virtually all web traffic flows over connections based on the Internet Protocol, most of the time your browser first uses DNS to look up the target hostname’s IP address. However, sometimes URLs directly specify an IP address, skipping DNS altogether. When an IP appears directly within such...
  • Blog Post: There’s never magic, but plenty of butterfly effects

    I’ve always enjoyed magic shows, but I’ve never attempted to understand how the tricks are performed, since that would take all of the fun out of them. In contrast, if I see a web browser demonstrating seemingly magical behavior or misbehavior , I find it hard to sleep until I figure out...
  • Blog Post: “Continue” Link Missing from Certificate Error Page?

    A user recently reported that IE11 wasn’t showing the “Continue” link on the certificate error page shown when visiting their 2009-era router’s configuration UI. They were curious why that link wasn’t shown in this instance. The error page’s Continue link is hidden...
  • Blog Post: What I’d like to see in IE12

    As the holidays approach, I’ve decided to publish my “wishlist” for the next version of Internet Explorer. I’ve been pretty good this year, so hopefully the IE team will deliver some of these presents. :-) Please remember: I’m just an MVP, and I don’t have any magic...
  • Blog Post: Braindump: Feature Control Keys and URLActions

    Note: The “brain dump” series is akin to what the support.microsoft.com team calls “Fast Publish” articles—namely, things that are published quickly, without the usual level of polish, triple-checking, etc. I expect that these posts will contain errors, but I also expect...
  • Blog Post: Understanding Zone Elevation

    The security setting “Websites in less privileged web content zone can navigate into this zone”: ... is one that leads to more questions than almost any other. This setting, also known as Zone Elevation protection , was originally designed to prevent navigation from untrusted Internet...
  • Blog Post: Enhanced Protected Mode and Local Files

    Ordinarily, Internet Explorer loads local HTML files in the Local Machine Zone. Locally-loaded HTML files are subject to the Local Machine Lockdown feature which prevents pages from running active content like JavaScript or ActiveX controls, showing the following notification: In order to...
  • Blog Post: Authenticode, HTTPS, and Weak RSA Keys

    Over on the Microsoft PKI blog , there’s some important information about upcoming changes for website operators who use HTTPS or deploy Authenticode-signed applications or ActiveX controls. Weak RSA Keys Blocked To briefly summarize the PKI team’s post, a security update coming to...
  • Blog Post: The Intranet Zone

    Internet Explorer maps web content into one of five security zones. After the Local Machine Zone, the Local Intranet Zone is probably the most misunderstood of the Zones, and is a common source of confusion and compatibility glitches. Mapping into the Local Intranet Zone For the Trusted and Restricted...
  • Blog Post: Brain Dump: Random Tidbits

    This post contains random IE-related tidbits for which there’s either not enough material or time to write a full post. I expect to revisit and expand this list from time to time. Case-Sensitivity in Cross-Frame Scripting of File URIs Same-Origin-Policy controls how script running in web...
  • Blog Post: Same Origin Policy Part 2: Limited Write

    In Part 1 of this series, I described how Same Origin Policy prevents web content delivered from one origin from reading content from another origin. (If you haven’t read that post yet, please do start there.) In today’s post, we’ll look at what restrictions are placed on writing...
  • Blog Post: Understanding Enhanced Protected Mode

    Last week, Andy Zeigler announced the introduction of Enhanced Protected Mode (EPM) over on the IEBlog. In today’s post, I’d like to provide further technical details about EPM to help security researchers, IT professionals, enthusiasts, and developers better understand how this feature works...
  • Blog Post: Beware Silly Similes

    Recently, there was a blog post which described a browser security feature as " like a seat-belt that snaps when you crash ." This wasn’t a particularly noteworthy event because similes are pretty common in our field. Almost e veryone likes similes because they enable the simplification of highly...
  • Blog Post: Authenticode and Weak Certificate Chains

    Recently, someone attempted to download a deprecated version of the Windows Script debugger . This tool was used to debug scripts prior to the introduction of more powerful, modern tools like those that are built into IE8 and later. The user emailed me when they encountered a very surprising outcome...
  • Blog Post: Internet Explorer 9.0.2 Update

    Tuesday’s Update for Internet Explorer updates the IE9 Help > About dialog’s version number to v9.0.2. The update includes a number of security and functionality fixes; many of these fixes are described in the More Information section of KB2559049 . One fix enables the IE9 Download Manager...
  • Blog Post: Understanding Protocols

    For over a decade, Internet Explorer has enabled developers to extend the browser with new URL protocol schemes. These protocols can be one of two types: Asynchronous Pluggable Protocols - COM objects that implement the IInternetProtocolRoot interface and return content to URLMon, usually for rendering...
  • Blog Post: Integrated Windows Authentication

    Inside Internet Explorer’s Tools > Internet Options > Advanced dialog, there’s an option named Enable Integrated Windows Authentication : This preference is stored using a REG_DWORD named EnableNegotiate inside HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings...
  • Blog Post: Enhanced Mitigation Experience Toolkit Update

    Microsoft’s Security Research and Defense team has released an updated version of their Enhanced Mitigation Experience Toolkit (EMET), a tool that allows the application of enhanced security mitigations around the application of your choice. While Internet Explorer 9 already natively includes...
  • Blog Post: Socially-Engineered XSS Attacks

    When the IE team talks about Cross-Site-Scripting (XSS) attacks, we’ve usually grouped them into three categories Type 0: DOM-based XSS Type 1: “Reflected” XSS Type 2: Persistent/Stored XSS DOM-APIs like toStaticHTML enable pages to protect themselves against Type...
  • Blog Post: Controlling Java in Internet Explorer

    Recently, there’s been some interest in how to control the use of Java within Internet Explorer. Java is a unique form of extensibility because it can be invoked in two ways: Using an APPLET element Using an OBJECT element with a CLSID of a JVM These two invocation methods are subject...
  • Blog Post: A Security Prompt that makes you go “Huh?”…

    Every few months, a Microsoft employee will send me an email complaining that Internet Explorer showed them the following dialog: This page is accessing information that is not under its control. This poses a security risk. Do you want to continue? …and they don’t understand...
  • Blog Post: Understanding Certificate Revocation Checks

    Recently, there’s been some interest in how clients perform Certificate Revocation checks and browsers behave in the event that a revocation check cannot be completed. In today’s post, I’ll explain Internet Explorer’s default behavior and explain how you may change the default...
Page 1 of 3 (64 items) 123