Welcome to MSDN Blogs Sign in | Join | Help

Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Today I want to tell you about both our established plan to highlight secure sites in IE7 but also to tell you about some early thinking in the industry about creating stronger standards for identity on the internet.

IE7 will join other browsers like Firefox, Opera and Konqueror in making the experience for secure (HTTPS) sites more visible by moving the lock icon into the address bar. We think the address bar is also important for users to see in pop-up windows. A missing address bar creates a chance for a fraudster to forge an address of their own. To help thwart that, IE7 will show the address bar on all internet windows to help users see where they are. IE7 will also help users avoid fraudulent sites if users choose to use the Phishing Filter to check a site for known phishing activity.

Today the lock icon in your browser window fundamentally means that your traffic with the website is encrypted, and that a trusted third party, known as a Certification Authority, has identified the website. Certification Authorities offer certificates with broadly different levels of background checking for the website. Unfortunately, there is no industry standard method for anyone to tell what level of background checking was performed for a given site.

On Wednesday, we met with folks from other browser vendors including Mozilla (which is the basis of Firefox), Opera and Konqueror to discuss this situation (other browser vendors were invited but weren’t able to attend). George Staikos from Konqueror was good enough to host all of us in Toronto. Along with picking up the tab for lunch, George brewed coffee strong enough to bring weary travelers from Oslo and Redmond into the same time zone. Microsoft and others in the group think our users should have a better experience when they visit a website that passed a more rigorous identification process.

As a counter-example to how we might handle highly-identified sites, I presented the IE7 Anti-Phishing User Experience for known phishing and suspected phishing sites. The Phishing Filter shows warnings to users when it detects a site that might be trying to misrepresent its identity.

When the Phishing Filter is in use, IE will fill the address bar with red for known phishing sites (Fig 1) and with yellow for suspected phishing sites (Fig 2). In both cases, the address bar will include text that explains that the user should effectively either “stop” or proceed with “caution”. In IE7, most normal sites including those with “the lock” today will not have a color-filled address bar.

Fig 1, IE7 address bar for a known phishing website detected by the Phishing Filter 

Known Phishing Website

 

Fig 2, IE7 address bar for a suspected phishing website detected by the Phishing Filter

Suspected Phishing Website

If the browsers and the Certification Authority industry can generate better guidelines to identify web sites, we want to take the experience in the address bar a step further to help create a positive experience for rigorously identified HTTPS sites. We have implemented a green-filled address bar in IE7 for sites that meet future guidelines for better identity validation. Along with the green fill, our current design for the address bar includes the name of the business (Fig 3.1) alternating with the name of the third party Certification Authority who identified the business (Fig 3.2). We think this alternating presentation of business name with Certification Authority name is the right balance of user notification and simplicity. 

Fig 3.1, IE7 address bar for a site with a high-assurance SSL certificate
(showing the identity of the site from the SSL certificate)

Identity of Site from SSL Certificate

 

Fig 3.2, IE7 address bar for a site with a high-assurance SSL certificate
(alternating in the name of the Certification Authority who identified the site)

Showing Name from Certification Authority

I know that Frank and Gerv from Mozilla, George from Konqueror and Yngve and Carsten from Opera have their own thoughts for an improved certificate standard and how they would handle that in the user experience.

I wish we could promise you that you will see this experience in IE7 and its equivalent in other browsers but there are a lot of details to work out before browsers can differentiate SSL sites based on how well vetted they are. For this to work, Microsoft, Mozilla, Opera and Konqueror, amongst others, think there should be some common validation guidelines for rigorous website identification. There is a lot of preliminary agreement but also a lot of work to do. The American Bar Association Information Security Committee is providing a forum to pursue this. You can check back with us and other browsers to see how the process moves along.

 - Rob Franco (with lots of help from Kelvin Yiu and Tom Albertson who work on PKI for Windows)

November 23 Update: You can read more about our meeting in posts from other browser developers who attended:

Published Monday, November 21, 2005 4:56 PM by ieblog

Comments

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Monday, November 21, 2005 8:04 PM by JF
You might wanna link your images diffrently ;)

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Monday, November 21, 2005 8:13 PM by ieblog
Yep. I noticed that too once it went live. I fixed the URLs. There was a conversion error between local and remote locations.

Thanks!

- Al Billings [MSFT]

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Monday, November 21, 2005 8:26 PM by zz
what's user xp for people who are color blind?

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Monday, November 21, 2005 8:33 PM by ieblog
Each state is accompanied by both text and appropriate icons. The state can be read without a need to see the color.

- Al Billings [MSFT] (who is mildly colorblind)

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Monday, November 21, 2005 8:36 PM by EricLaw [MSFT]
In addition to the icons and text, it's probably worth reiterating that, in the event that IE knows something is bad (e.g. Certificate Error or Known-Phishing site) navigation is interrupted by a blocking error page. Hence, such errors are unlikely to be overlooked, even by the color blind.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Monday, November 21, 2005 8:38 PM by LRA2
This sounds like a great idea, but I do worry about the colours you have chosen to use.
At first glance they seem great as we have come to associate green for go, yellow for caution, red for stop. But we live in a world where we know and regonize not all people can see the differences between colours.
With stop lights, the top is red, the bottom is green (or right red, left green) yellow in the middle. This ths gives those who can not tell the difference between red and green a way to tell if they are to stop or not.
Red-Green colour blindness is the most common type. Though I personally like this colour choices you have made, I do worry about my friends and fellow memebrs of the human race who can not tell the difference.
So, I hope that as you contuine to work on this you will find someway for them to be able to at a glance know. As I am not colour blind I can not for sure know what would be the best way to go, but I would guess that there are ways for you to set up alternatie settings, or do somithing wioth the colours to help them have this wounderful adition usable to them.
Keep up the great work, I can't wait til ie7 is ready for the masses

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Monday, November 21, 2005 8:40 PM by LRA
You guys are too fast, provided info of ways to help before I finished my post... Keep up the great work

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Monday, November 21, 2005 9:38 PM by AC
Please don't use yellow for suspicious sites as it's already been used for HTTPS sites on Firefox. What did you get out of that meeting how to confuse cross-browser users the most?

Additionally, what's with this alternating thing? You're not going to constantly alternate while people are browsing are you?? That would make blinking text look like a kitty next to this beast of an annoyance.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Monday, November 21, 2005 11:18 PM by Dylan Bennett
I second that about please don't use yellow for the "suspicious site" color. Firefox did a great thing making the address bar a different color when browsing secure sites, so please don't go breaking the experience by making it confusing to go between the two browsers.

I can totally understand the want to make it red, yellow, green for the different states, but either be consistent with what is out there or start a conversation with the Mozilla guys and get them to play along with your new color scheme.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Monday, November 21, 2005 11:36 PM by red yellow green
I say make it red, yellow, green! Just because other browsers use non-sensical colors for security doesn't mean you have to. BE DIFFERENT!

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Monday, November 21, 2005 11:40 PM by Aaron
I think I prefer Microsoft's color scheme, to be honest. It's a scheme recognized through driving... even in many (if not all) countries. Mozilla wouldn't exactly have a difficult time adapting their bar to conform either.

That being said, I can imagine that this is one of their sticking points, lol. I can just imagine the outrage of Mozilla conforming to Microsoft standards, *grin*.

Regardless of color scheme though, the overall idea of color-coding and providing information in the address bar for this purpose is very cool. Keep up the good work!

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Monday, November 21, 2005 11:55 PM by Matt Sherman
Rob & Co, thanks for the thorough post and thorough thinking.

As an app developer for my company's intranet, I do try to make web apps as "app-like" as possible, and part of this is the use of nice, clean, uncluttered popups.

I do appreciate your intentions here (security first), but boy, an address bar in a popup is real distracting from the content. How about letting the developer control the address bar for Trusted Sites or the Intranet Zone? Ditto on the status bar.

Cheers,
- M

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 12:34 AM by Brian
Nice concept, but I am not crazy about colorizing the address bar as it seems to hurt readability of the URL. How about just making the explanatory text on the right side shaded with the colors? Or allow the color effect to be turned off.

# Implement across all platforms

Tuesday, November 22, 2005 1:32 AM by Simon Mackay
Hi all!

I would suggest that this colour-coding for the address bar be implemented across all Web-browsing plwtforms. The code could be made commonly available for implementation in browsers like Apple Safari for example.

Also, a good idea would be to shoehorn the code for the phishing-control functionality so the functionality does exist but is available for use in embedded Web browser applications like set-top boxes for example.

With regards,

Simon Mackay

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 2:04 AM by Bryan
I really like this; it conveys a considerable amount of information in a relatively compact and elegant way. Just *please* make sure the alternating text is as subtle as possible. Also, I prefer the red / yellow / green color scheme over Firefox's FWIW. :-)

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 3:20 AM by Tom
The problem is that people switching from IE to Firefox will think that secure sites are actually potential phishing sites, and people switching from Firefox to IE will think that potential phishing sites are secure sites! Imagine the confusion!

Other than that major caveat though, the red/yellow/green thing isn't too bad of an idea...

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 3:24 AM by Somebody
Please consider changing "phishing" to "dangerous" or something like that. Besides being less confusing for the average user, it will be easier to translate to other languages.

I agree with those who said that alternating text would be annoying. Just show the subject name; the issuer name will be meaningless for most users anyway.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 5:13 AM by David Naylor
I second Dylans opinion above. Well said.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 6:24 AM by KennyTM~
To me, the descriptive text is too big. Maybe it's better to use "popup text" instead?

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 7:16 AM by Chris H
I like the colour coding method chosen here (although I can see problems when it comes to IE / Firefox users and the yellow status, with one thinking a site is secure, while the other thinking it is a phishing site).

I just wanted to ask if you'd considered adding the colour status to the individual tabs as well? As I feel that would stand out more so as well.

Also, what do the two arrows (which look like they are spinning) next to the security message refer too?

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 7:18 AM by shane
What happens when a site hides the address bar, and places an image of a fake green address bar at the top of the page? (as already done by many scam sites).

Even if a site cannot hide the address bar, having the 'double' address bar, with one green and the other white, a casual glance to the top of the page lets the eye see the green bar, ignores the white, and the user would proceed with a false sense of security.

I know not much can be done about this, but what about colorizing the status bar, toolbars and window frames etc instead of the 'client' area? Too much customization of how the address bar can appear, esp if sites can modify it, harms the standardized way of recognizing safe sites. I hope much of this cannot be changed in IE7, even if it hurts customization of the browser.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 7:27 AM by Ron
I agree that:

a) The colours will cause confusion
b) The alternating text will cause annoyance

Solutions:
a) Don't have a "suspected" state, as it's only determined by a program which is prone to making mistakes. This way you don't have to worry about the colour yellow either.

b) Don't display the name of the company in the url bar. Or leave it there but make it a tooltip, so when you move the mouse over "Identified by Contoso Root", the name of the company displays in a tooltip.

What do you reckon?

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 7:29 AM by EricLaw [MSFT]
<<Also, what do the two arrows (which look like they are spinning) next to the security message refer too? >>

Chris, this is the icon for the refresh button.

<<What happens when a site hides the address bar, and places an image of a fake green address bar at the top of the page?>>

Shane, this is not possible, as noted in the post.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 7:36 AM by EricLaw [MSFT]
<<Even if a site cannot hide the address bar, having the 'double' address bar, with one green and the other white>>

Actually, any site pulling such tricks to phish would rather quickly be blocked by the Phishing filter, so the user won't ever get to this state to begin with.

<<The problem is that people switching from IE to Firefox will think that secure sites are actually potential phishing sites>>

It's probably worth mentioning that the lock will not be visible on a suspected phishing site, so the likelihood of user confusion is relatively lower.

That being said, I think we agree that it would be ideal if colors were standardized across browsers.

# Another visual clue to be ignored?

Tuesday, November 22, 2005 9:18 AM by Brett Merkey
The IE6 SP2 warning strip is often not noticed. I participated in a test in which not one experienced user or developer of our applications noticed the thing. Address bar color is really more of the same.

I agree with a previous remark that doing what you propose to do (force the address bar in application popups) in the context of secure application environments seems senseless and will be a distraction for the user.

Check the repeated misspellings in the screenshots you posted. Can we have any confidence whatsoever that your attention to detail is any better when it comes to programming security?

Brett Merkey

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 10:20 AM by Alex Lein
I prefer the IE7 colours for the address bar. It makes sense, more sense than the Firefox colours if you think about it.

>>What happens when a site hides the address bar, and places an image of a fake green address bar at the top of the page?
>>Shane, this is not possible, as noted in the post.

This worries me a bit though. Firefox puts the domain in the title of the window (before the window title) when there is no address bar. While this pushes the title of the window off the edge in a lot of cases, it's still a less intrusive solution. That way the user can see the domain is the same, but doesn't change the size/style of the popup. For a lot of popups on the sites I manage, we hide the address bar on purpose to a) keep the window style clean, and b) to hide the URL so people don't try to mess with the site (because they do).

If you put the domain in the title, you could still easily throw up a "Warning, suspected phishing site!" page before loading the window's document.
Can you tell us the reason you chose this method instead of the titlebar method?

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 11:26 AM by John A. Bilicki III
I like the color coding system...I think in a previous post a full page warning is issued for suspected phishing websites?

I like the fact that folks from the four major browsers got together and discussed the issue.

AC brings up a good point with Firefox's HTTPS and the yellow address bar but honestly I have to admit I am going to side with Microsoft on this one. Green is associated with go (whereas yellow is associated with HURRY UP GO FASTER BEFORE IT TURNS RED....well in some cities anyway).

How about having the warning in orange then? A little less friendly, not exactly red but not yellow like Firefox's secure site color? Either way I'd like to see some constructive conversation between Moz/MS fans and visitors as in the end it effects us all (whether we're using or fixing someone's computers for example).

"How about letting the developer control the address bar for Trusted Sites or the Intranet Zone? Ditto on the status bar." Matt Sherman

I second that notion; if you're on an Intranet or listed on a trusted site then (and only then) should a site be able to hide the address bar. If for example a popup does cross a high standard boundary a warning page can be in it's place regardless (leaving HTTPS perhaps).

While reading the issue of Firefox/IE colored address bar I came up with an idea...shared preferences? Why not to address this issue have a meeting between Moz/MS about having some setting to have the colors coordinated between the two browsers?

I have to drop the hammer down on something that has consistently been inconsistent! The toolbars frankly suck! For the sanity of, "where the heck did my favorites go?", here are some of my mad paint skills to help you guys out with the ...err..needy GUI.

http://www.jabcreations.com/temp/browser_bugs/ie/toolbars.html

# color: whatever

Tuesday, November 22, 2005 11:35 AM by Maurits
I think the cross-browser color difference is overblown.

I don't see a good use for the color green, though.

I can buy the red... and even the yellow. But HTML injection vulnerabilities are just too common to have a "green" state, IMHO.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 12:14 PM by Justin
I also add my disagreement with the use of yellow for suspected sites.

Even if the color yellow in general conveys a sense of warning, I believe it's too late to use it. The Firefox issue is not a small one, but in addition, the color of the HTTPS lock on IE 6 is already yellow as well.

The IE team should have the protection of end users in its heart no matter which browser is being used, and sending mixed signals between different browsers would not be conducive to this.

Overall, though, this is a great feature, and I'm glad we'll be seeing it soon.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 12:29 PM by Rob Franco [MSFT]
Quite a few posters have commented about possible confusion between the gold address bar for HTTPS in Firefox and the suspicious state for the IE7 Phishing Filter. I agree that’s a possible issue and we’ll continue to discuss with other browser vendors.

Folks should bear in mind that most sites will probably not have color-filled address bars in IE7 as described. Today’s ordinary SSL sites will show the lock in the address bar but will not include any color fill.

I want to make sure folks understand our commitment to the experience for visually-impaired users. The color effects in the address bar are just one way for us to highlight the differences between sites. There will be text and icons in the address bar. Eric makes a great point that in the case of a confirmed phishing site or the case of a certificate error, IE will back up the address bar warnings with an error pages to help the user

Matt Sherman and John Bilicki both asked about how the persistent address bar will impact trusted sites and intranet sites. By default the persistent address bar won’t show up for pop-ups in the trusted sites and intranet sites zones. The persistent address bar for pop-up windows will follow the window size and position restrictions security setting. If you’re a desktop administrator, you’ll be able to control this setting through group policy. If you’re a web developer for intranet or trusted sites, you’ll be able to enable and disable the address bar the way that you can today.

As always, thanks for the feedback!
Rob Franco [MSFT]

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 12:44 PM by onezero
I do think that the color thing is good, and I'd agree that it should probably be changed to orange to avoid confusion with Firefox in the near term. The problem I have however is disallowing javascript from removing the address bar in all allowed pop-up windows. I think that displaying the URL in the actual windows topbar for the application is fine. It would be a large waste of space to have the address bar always visible in the popups, and will deter developers from pop-up windows. This will make developers us css popups and the like. These are even more annoying to users as their pop-up blockers can not stop this. It will also hurt web application development, and make even casual application developers have to get HTTPS, not an inexpensive proposition to an ameteur web developer.

It might be better to have IE control pop-ups in known or suspected phishing sites, but in sites that have no prior security violations, javascript should behave as normal IMHO. How about a little innocent until proven guilty.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 12:59 PM by Mike_J
These are good thoughts but not practical.

The reason is too many colours make things worse. When we develop Tablane browser(it is based on IE engine for now), we tested many colours for Tab, such as Read, Unread, Bookmarked, HTTPS site, Tab with comments, etc. We confused ourselves. What colour represents what? In the end, we get the clue, keep the colour scheme simple and use the colour to identify something different, but not expect the user memorizing it quickly/firmly. If expect user to remember it, just one colour for HTTPS is enough.

Comparing with traffic light seems reasonable, but it is wrong in user interface design. When driving, you must concentrate to the traffic light, it is such built in risk involved. So many years we have been taught: red, yellow and green. But for surfing the net , it’s very relaxing. It is more concentrated on content. Just to signal HTTPS site, is simple and effective.
The colour usage is even not intuitive. With icon we know 70% what it does. With colours, how can we agree the same colour binds to the same thing?(if in multiple colours environment).

It is much better for most browsers to use the similar colour by default, and leave some space to let user customize it under some guidance.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 3:20 PM by EricLaw [MSFT]
<<Check the repeated misspellings in the screenshots you posted>>

Brett, are you referring to the spelling errors in the Phishing examples? Those are taken from actual Phishing sites that have been found in the wild.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 3:26 PM by EricLaw [MSFT]
<<make even casual application developers have to get HTTPS, not an inexpensive proposition to an ameteur web developer.>>

Onezero, I'm not sure I understand this concern. Using HTTPS has no impact on the fact that all popup windows will show the address bar.

(It's probably worth mentioning that a "domain control" SSL certificate can be had for ~20$.)

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 4:43 PM by kL
I like how Opera solved pop-ups address problem. I think that's the best solution.

Forcing addressbar to be visible could initiate some over-creative "solutions" to that "problem" and we'll end with inaccesible annoying DHTML hacks.


And how about orange for IE and yellowish lime for Firefox?

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 5:32 PM by Chris Mellon
<<
It's probably worth mentioning that the lock will not be visible on a suspected phishing site, so the likelihood of user confusion is relatively lower.>>

I'd like to get a clarification on this - the lock is not shown for a site (with a cert, and a working HTTPS connection) that the phishing heuristic flags as suspicious? Will this be a problem for the (somewhat common) sites like Wikis or forums that use self-signed certs?

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 5:43 PM by Mark M
With Firefox(1.5RC3) the address bar colour can be changed by the theme. The current theme I am using has green as the colour for https.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 5:51 PM by Roe McBurnett
Folks, Thanks for thinking of us colorblind users. I am red green colorblind and I could not easily distinguish between the Green and Yellow toolbars.

The real important thing to remember is that colorblindness is not standardized. Each of us see a different palette. I propose that the color displayed be a user adjustable value so that a colorblind user can set it up to best meet his/her needs. After all who would know best what colors to use?

In addition, the default colors need to be selected with an average color blind person in mind so that customization is not always needed. There are many sites that discuss ways to accomplish this.

While a standard is great, remember one size does not fit all. Let's standardize on a set of HOOKS that still allow the user to do customization when needed!!

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 5:57 PM by EricLaw [MSFT]
<<Will this be a problem for the (somewhat common) sites like Wikis or forums that use self-signed certs?>>

Actually, for a self-signed certificate, this scenario would show up as a red/blocked navigation unless the user explicitly added the site's certificate to his trusted store.

# Don't change to orange!

Tuesday, November 22, 2005 6:34 PM by Bob
Stay with Green, Yellow and Red. Those are WORLD standard colors! Firefox isn't God!

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 6:36 PM by Deren Smith
One suggestion I have is to change the text Phishing to Dangerous. This way you don't have to worry if the user understands the term "Phishing". I know if I saw a red URL field with the word Dangerous, it would sure catch my attention quickly vs. the URL field displaying Phishing.

When the URL field shows that a site is safe, why not just tell the user exactly that. Right now you have the URL field showing certification information about the site. I personally like how it shows certification information, but the average user isn’t really going to care about that and will probably get confused over it.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 7:24 PM by Jason
Nice ideas.

I'm wondering really though why firefox is an issue. The GOLD/YELLOW colour is the CURRENT STATE in firefox for SSL Encrypted sites.

That remains the same with this new scheme, with the addition of the GREEN for properly verified and configured SSL sites.

So nothing has actually changed here for firefox.

The new user education task is that you should only trust sensitive / confidential information to GREEN sites. Hopefully banks / paypal / ebay etc. can send out some straightfoward flyers or something to their customers. - Although I doubt it! The people who are targetted most by phishing seem completely oblivious to any technicial measures available to help reduce the problem.

Jason.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 7:25 PM by Jason
Nice ideas.

I'm wondering really though why firefox is an issue. The GOLD/YELLOW colour is the CURRENT STATE in firefox for SSL Encrypted sites.

That remains the same with this new scheme, with the addition of the GREEN for properly verified and configured SSL sites.

So nothing has actually changed here for firefox.

The new user education task is that you should only trust sensitive / confidential information to GREEN sites. Hopefully banks / paypal / ebay etc. can send out some straightfoward flyers or something to their customers. - Although I doubt it! The people who are targetted most by phishing seem completely oblivious to any technicial measures available to help reduce the problem.

Jason.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 7:38 PM by Calzones
This is great thinking, but I'm not sold on the conclusions.

People have brought up the color confusion issues, the color clutter issues, and there is also the question of what happens when you have the address highlighted.

No one has pointed out, however, that the ill-intentioned of the web always stay a step ahead of stuff. If their address winds up on a blacklist somewhere, they'll hop to a new one. Users accustomed to relying on the color coding will think they're safe when they reach a site that hasn't yet been blacklisted.

I think the better idea is to keep the color coding, but only one color (red? orange?)... Use it both where you now propose to use red and where you now propose to use yellow. This would then apply freely to all browsers without regard for what yellow might mean in one versus another. Users would need to be trained to recognize that this new color (red/orange) means the site in question has triggered sensors and is suspect. Users should be advised to not put all their faith in the color coding; the warning is simply a guess based on a low threshold of probability. Throw in a "percent suspect" so people can judge for themselves.

This same logic should be applied to any links that point to suspect urls. Set the default threshold to 50% or something, let the user adjust in their options/preferences for higher or lower sensitivity. When triggered, you get a warning after clicking the link and you can cancel or proceed. Same goes for meta-refresh.

Finally, do not force the address bar to appear on windows EXCEPT when the user is on a site that has exceeded the same threshold set above OR when the popup is from a domain that is different from the parent window.

As for the issue people are fearing with DHTML: allow users to right-click on and close any div layer having a z-index (or having had it's display updated from none to not none). When the mouse hovers over any such div, it should receive an outline as feedback to the user that this is a user-closeable element. This would only create an issue for developers who check the div-state to make assumptions about some variable or behavior on the page. Easy to workaround.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Tuesday, November 22, 2005 8:11 PM by Terence Mackie
Thank you for the heads up on developments in Anti-Phishing. As a web application developer I feel that the work done recently, and the openness about it, has been nothing but very positive.

While I think the colouring of the address bar is a great idea, I believe it needs to be implemented consistently across all browsers, otherwise it will cause more confusion than benefit. Which is why the discussion you've just talked about is so important, and such a good sign that it has occurred.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Wednesday, November 23, 2005 2:32 AM by Andre
I like the color schemes. However, how about for green, to make the color gradient. From the left of the URL bar a more solid green fading to a lighter shade at the far right of the bar. In this way those who are color blind could see a secure site without having to read the secure site caption. At the same time, those who can see color would not be annoyed by a solid green color extending all the way across the bar.

--Andre

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Wednesday, November 23, 2005 4:58 AM by Sjoerd
I think that the colorscheme doesn't matter. The idea behind this is absolute good. I like the fact that MS is thinking about ideas to make the internet a safer place, especially since criminals are more and more interested in making money by cheating unsuspicious (and sometimes ignorent) users. Good idea!

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Wednesday, November 23, 2005 5:56 AM by Viktor
While disallowing web sites from hiding the address bar using javascript (with the exception of pop-ups) is a good idea, the user should have the flexibility to resize, move or even hide the address bar (independet of the tab bar). This was a major improvement over other browsers in IE6 and earlier.

I am suggesting this because I have developed an alternative address bar for IE6. But think also of the following usage scenarios that rely on hiding the address bar:

* saving real estate (for example in pop-up windows)
* restricting usage (disallow users to enter URLs)
* user is not interested in the address (think of kiosk mode when no keyboard is available)
* using a 3rd-party toolbar for navigation
(like the Google or Quero Toolbar)

Viktor

# Colours - Firefox and yellow

Wednesday, November 23, 2005 7:38 AM by Richard
Firefox is already using yellow for secure sites - and it works really well. I look for this yellow rather than looking for the padlock icon. That said - I wouldn't mind if it becomes green across all browsers and these colours were to be standardised. Showing the company name, now we have more screen real estate to show it in, also makes sense.

Another nice feature is a warning if you use an URL with embedded username and password and the site on the other end does not require authentication - this being a common trick with phishers, but presumably one they can fix once detection becomes common place.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Wednesday, November 23, 2005 12:45 PM by LRA
Colours are great idea, stay with red, yellow, green. The firefox lovers will always complain, tell you to look like firefox and if you do say your just copying them. I use firefox and IE, (though I have a feeling with IE7 will go almost fully to IE7 when it goes gold)
The first time I saw yellow in the address bar in firfox, I thought firefox was trying to warn me. Yellow=caution/warn I oon realized it was not supose to be a warning but reasurance, but even today when I go somewhere and it goes yellow, I have slight reaction of "wait, is this securue" before my knodge of fixox sinks in and I know fixfox messed up with its colour choice to represent secure.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Wednesday, November 23, 2005 1:08 PM by Serious Sam
Hi guys

I know you're probably getting sick and tired of the articles that I seem to keep coming up with, but I'd still like to throw this one your ways - plus it's kinda relevant here (it's an article on security anyways): http://uk.news.yahoo.com/23112005/80/consumers-underestimate-computer-virus-threat-bt.html. It's pretty much about what the link suggests, saying that people aren't taking the security issues on the net seriously enough thinking: "that the threat is less than it is and the protection they have is better than it is". Now an article like this is always worrisome, but honestly it doesn't surprise me.
So anyways, my point is: security, security, security - since people aparently aren't willing to pay for decent security software, then I'd say that is now doubly important to make your browser as safe as it can be.

Thanks. Now of to find more articles, lol.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Wednesday, November 23, 2005 2:51 PM by Scott
My suggestions:

1 - Let users choose their own colors for each status, including an option for no color. Also, as you currently do when visiting a secure site, popup a dialog describing the status change, with an option to change color scheme, as well as an option to not show the dialog again.

2 - Don't rotate text for SSL identification. Personally, I say just show the icon, and let everything else be in a tooltip or dropdown. Otherwise just show the CA, and company name and cert details are in tooltip/dropdown.

3 - Allow the user to control what sites can show/hide the address bar, menu, status bar, etc. You already have the zones (Internet, Intranet, Trusted, etc.). There are valid applications where it is best that this info not be available to the user, and in most of these cases this is for the benefit of the user themselves.

# It's all about configurability!

Wednesday, November 23, 2005 3:20 PM by Melissa
First of all Thank You Microsoft for all your efforts to fight cyber crime.

It's all about configurability!

Most of the issues addressed here could be solved by giving the user customizable options.

Allow the user to select their colors of choice, with red, yellow, and green as the default. Maybe add blue for intranet sites.

I like Brian's idea about not coloring the entire URL, but just the explanatory text.

No blinky blinky. Make it a hover or tooltip.

Allow the user to turn off the feature entirely.

I don't like popups that hide the location. I normally bypass this by typing CTRL + N. Why not go ahead and HIDE the URL, but have a cute little button that the user clicks to HIDE/SHOW the URL?

Allow the user to bypass the blocking error page - just in case they have a valid reason for visiting that page (like if the Phishing software is wrong about a particular site).

Calzones pointed out that the phishers hop domain names frequently. Can you create a color or symbol for a domain that is less than six months old? Will you be doing screening based solely on domain names or also on IPs or some other criteria. Are you going to disable active content on the red and yellow sites? And I like Calzones other ideas about percents and threshholds and applying them to links.

And it seems everyone is forgetting that restricting free usage of the client (resizing windows - viewing address bars - typing in URLs) goes against the original spirit of the internet. It's an open platform to share information. It's like having someone micromanage your visit to the public library. Popups without address bars are like reading books without being allowed to see the title and credits.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Wednesday, November 23, 2005 3:31 PM by Jamie
I agree in part with Calzones. The yellow bar is confusing, and red should be used. I also like Melissa's idea about being able to show a hidden URL bar. Maybe use a collapsible bar, so that "hidden" really means "collapsed".

Perhaps the following can be used:

* Known phishing/unsafe site: Red URL bar + confirmation page before allowing site access. URL bar may not be hidden/collapsed from code.

* Possible phishing/unsafe site: Red URL bar only. URL bar may not be hidden/collapsed from code.

* Confirmed "good" site: Green URL bar. URL bar may be hidden/collapsed from code.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Wednesday, November 23, 2005 3:45 PM by Iang
Although the colours are a great improvement over nothing at all, there are better ideas. You should look at the Petname and Trustbar ideas for inspiration if the goal is to address phishing.

Also, be aware that we are moving to direct attacks on certificate authorities, the scene is now set for phishers to use real certs, which will give rise to a new category: valid cert but reported as phishing site.

Further, any statement made by the browser based on the cert lacks foundation unless the statement says which CA made the cert. Without the CA being presented on the chrome somehow, the browser is subject to substitute-CA attack, and all the validation ideas will fall to that if it is worthwhile enough. Users don't buy house insurance from Joe's Diner, so why would they accept a cert (or a statement) from some random CA that operates two continents away?

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Wednesday, November 23, 2005 5:14 PM by Darrell Shandrow
Please make sure that all these color coded address bars include sufficient accessibility for the color blind, the blind and the visually impaired. Make sure that, along with colors, text shows the bar's status. It seemed this would be the case for red and yellow, but saw no such indication for green. Please don't forget about us!

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Wednesday, November 23, 2005 5:23 PM by Byron
How about changing the color scheme to follow the U.S. Homeland Security Advisory system of Red, Orange, Yellow, Blue and Green?

http://www.dhs.gov/dhspublic/display?theme=29

Red - Severe risk of phishing attack

Orange - High risk of phishing attack

Yellow - Elevated risk of phishing attack

Blue - Guarded risk of phishing attack

Green - Low risk of phishing attack

This includes the term "severe" and the color "orange" from prior suggestions. Oh and for those in the U. S. of A. I want YOU to have a happy and safe Thanksgiving?? (-:

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Wednesday, November 23, 2005 5:49 PM by Crystal W
I suggest you use an actual bright red, rather than the pastel pink in the exmple. Pink is soothing and calming and reassuring, not at all indicative of the lever of concern you wish to provoke in users when visiting a phishing site.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Wednesday, November 23, 2005 10:37 PM by EricLaw [MSFT]
<<Another nice feature is a warning if you use an URL with embedded username and password >>

Internet Explorer has prohibited this syntax for HTTP(S) URLs for over a year. IE7 continues to prohibit this syntax, and such URLs will not navigate.

Melissa-- The user may opt to ignore the phishing blocking page and navigate anyway. A persistent red warning will remain in the address bar while on the alleged phishing site.

Iang-- Petname is a really interesting idea, but I'm not convinced that this is the simplest route to take for most end users. IE7 does expose new APIs which should make it much easier to write a Petname plugin for IE.

Note that reported phishing sites are blocked, even if they bear a certificate. Furthermore, because we are turning revocation checks on by default in Vista, a phisher's certificate will likely be revoked shortly after the site is flagged as a phisher.

As you noted, it's important that we show the name of the CA who identified the site, and hence we do so in the top-level IE chrome.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Thursday, November 24, 2005 12:52 AM by Berkwins
Great Idea of using color in address bar.
Since some have clor blindness, we can also
consider the idea of putting 'tick' mark,
'cross' mark and 'question/exclamation'
mark in the address bar.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Thursday, November 24, 2005 1:06 AM by Angela
I'm sorry to post this here. But I can't think of any other ways to find out the answer. It might be out of the topic but please.. Help me if possible.

IE used to be able to surf RTSP links. However, IE now is unable to surf RTSP links. Why? And is there other way to surf RTSP links? It is because, we need to do this RTSP thing however, we realise that it is impossible now. Thus causing us to have diffculties in continuing our research.

Thanks.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Thursday, November 24, 2005 2:34 AM by Lordmike
@IE Team
If you haven't done this already, can you please make sure that it isn't possible to make a window "fixed?!". I want to be able to maximize _all_ windows, even popups.
Also please remove the option to be disable right click. There are lots of ways to get around this.
Do not allow webmasters to hide the address bar in popups. I hate it when I don't know where I'm surfing.

Whenever someone comes with a new hack to get around this, then please try to update it via windows updates when you know about it and have tried it on all language versions.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Thursday, November 24, 2005 4:41 AM by morgoth
Well, as a long time Mozilla and Firefox user (in fact I don't run Windows at all) I say: that IE7 colour scheme is a great idea. I hope that other browsers will use it too. To me this makes a lot of sense and would add real value to user experience. Maybe using yellow for https-connections in Firefox/Mozilla was not a very bright idea - green might have been much better. But changing that shouldn't be a major problem - neither for the developers nor the users.

# Cool! And compare to TrustBar - these and other ideas on FF

Thursday, November 24, 2005 4:46 AM by Amir Herzberg
TrustBar is a FireFox extension that already (and for a while already) implements several of these ideas, and others. In particular, it supports both `petnaming` of a site, i.e. to assign a name (or, with TrustBar, a logo) to a site, and also display `Identified by` and the logo (or name) of the organization and of the CA, like IE 7. You can install it via http://AmirHerzberg.com/TrustBar">http://AmirHerzberg.com/TrustBar.

TrustBar is the result of secure usability study by Ahmad Jbara and myself, and has some other mechanisms, including random `exercise training attacks` to help users stay trained to watch for the name/logo of the site. (I must admit that this mechanism is now set for too frequent `exercise attacks`, we will improve this in our next release very soon, but you can also reduce or eliminate this using the user interface of course).

We are very happy to see some of this research adopted by browsers. We have some more ideas we are investigating, and would love to cooperate with any browser developers to help improve security indicators. TrustBar is an `open source`, public domain project.

BTW, I also had a student working on an IE version of TrustBar, but it didn't work well. He used IE 6 and couldn't get the certificate for the page.

Best, Amir Herzberg

Assoc. Prof., Dept. of Computer Science, Bar Ilan University
http://AmirHerzberg.com

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Thursday, November 24, 2005 5:50 AM by Phil Green
Don't break existing functionality in the name of "security": If a popup requests that any chrome is not required, honour that request just like the web has for the last decade. This means that intranet and certified valid sites display just as they always have.

However...
If the address is denoted as invalid, then override the behaviour. After all, a big fat address bar on the screen littered with "This site is not what it says it is" type messages, etc., is perfectly reasonable and can hardly be missed by the user.

As to the colours: A site is either valid or it isn't. Don't confuse the issue by having a "possible" option. Yellow works fine for me on FF as it clearly isn't white. Having yellow as a "we're not sure" will just annoy and confuse.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Thursday, November 24, 2005 6:58 AM by Branko
From Frank Hecker (see link above):

<<Microsoft’s proposal provides more visibility for the CA issuing an extended validation certificate than is present in most current browsers (which to display the CA name typically require an extra user action like clicking on the lock icon or moving the cursor over it). Besides making users more aware of the role of CAs, this provides CAs with an opportunity to do the sort of brand-building mentioned in my previous post, and to that extent offers an incentive for CAs to participate in the market for extended validation certificates.>>

Some comments state, that a tooltip should be used, instead of rotating the CA's name in periodically. I think, that Franks words really have merit. If we want to make the web secure, it takes efforts, and compromises from all: the industry, the browser vendors and the users. So I will gladly accept some rotating info in my address bar, if that gives the CA industry the incentive to adopt the stronger rules. In the long run, I think this will pay off.

So to Microsoft I say:
You are on the right way, and a little more farsighted than some of the people who have commented here. My congatulations!

Branko

--------
If you find spelling mistakes, you can keep them. They are there for free!

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Thursday, November 24, 2005 7:54 AM by Iang
Eric, yes, I had missed the CA name being rotated, thanks for the polite correction!

Your comment on "the simplest route for users:" Any security system that doesn't involve humans is generally considered weak against a motivated attacker. This is as true in software security as it is in building alarms and military defence.

Unfortunately, there is a common misconception that browser users will do nothing to protect themselves. This dates back to the beginning of the browser security model days when users almost universally ignored all the security warnings, and anything on the chrome that spoke of security. The resultant "wisdom" was that our users have to be given a security system that does so without their participation because they won't participate in their own security.

But the users were right and the security community was wrong. In those days there was no threat and the users knew it. So the users did the economic thing - they simply ignored the security system because it was not providing any security.

Now things have changed, we've had mainstream phishing for about 3 years now, and the browser community is having to respond (better late than never). The users are already well ahead and are learning how to deal with it, including not to use browsers for banking (so the surveys would have it).

Again, the users are right, and the security community has to re-learn. Users will participate in securing themselves - when there is a good reason like phishing. The petname idea is small, easy to implement, and gives tremendous bang for buck, more more bang than the shared phishing reporting idea that Microsoft and Comodo have implemented. It's really easy to explain to your grandma by showing her how it works, it is no more complicated than anything else to do with entering URLs in the browser.

Check out Trustbar and Petname toolbar - they both implement the idea. Petname toolbar is simplistic - it just does the petnames idea. Trustbar is more complex and shows good ideas on how to integrate with other things like the shared repository of phishing info.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Thursday, November 24, 2005 8:05 AM by Huygens
Will IE 7 still use the Revocation information provider API for automated OCSP checks on websites ssl certificates ?

cf http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/rpcrypto.asp?frame=true

How will the results be displayed by IE 7 ?

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Thursday, November 24, 2005 12:51 PM by Alfonso
Everything to avoid scammers is good, but think about all the sites that use popups without navigation bar because they are just a helper window or the like, putting an address bar and cutting part of the content as happened with the status bar isn't nice.

You can put the url in the status bar (and block changes of status bar in popups), in the title bar like Firefox does, and even provide an easy way like Opera does to bring back the navigation bar, remember that in some situations the navigation bar isn't useful and just showing that info in another place wouldn't be bad.

Or if you force the navigation bar to appear then resize the window properly so the content has the same height as it would have had without the navigation bar. Please!!!

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Thursday, November 24, 2005 4:16 PM by Victor
Well guys... I can see here Microsoft fans only... With some sugar and honey on their mouths... "Oh, lovely colors, Microsoft! Love them!".

The only good thing about this is that Microsoft was staying on one table with Konqueror, Opera, Mozilla. For the first time we don't see things like "We are the only one!". Because you're not.
And if this comment will stay here /I suppose someone will delete it/, please guys! Begin to produce more normal products like browsers and operating systems. Please!
I hope someone will read it!
Have a nice day! And a lots of luck, using IE and Windows :)

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Thursday, November 24, 2005 9:24 PM by Xepol
No question, if I was to use the phishing filter, that would be effective and look good.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Friday, November 25, 2005 8:22 AM by TheTOM_SK
To Victor. Well, I use IE, antivirus and firewall, no realtime antispyware and for about 2 years I got 0 infections, so why should I change?! ;)
By the way, it would be nice, if it would be possibility to turn off the coloring of the whole link (that is good for newbies). The coloring of the square behind the link is noticable enough. As I have heard, then in IE 7 beta 2, the Favorites menu will be put above tabs, such a pity, it would be great, if its position would be changeable.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Friday, November 25, 2005 4:05 PM by LinWinOverlord
To all those who design the Internet Explorer 7 Browser... Although I am not one who can use the browser (it really is a pity, I like actually testing stuff and then bashing bad things about it >:) I applaud your determination to try to bring IE up to snuff... However, you cannot say that IE is really secure until you offer people the ability to have the OS run standalone from the MSHTML/IE engine... Also, ActiveX should not be permitted to run directly onto the system unless it has a special cryptographic code attached to it in several forms in order to maintain genuine code from ONLY Microsoft Corporation (I know that the system's update function requires ActiveX controls)... Give some thought to changing the rules of ActiveX... Also I want to congratulate Microsoft for actually attempting to satisfy the customers' requests for stability, security, and overall clean, streamlined, and backward-compatible OSes... Maybe Microsoft will now restart their IE for UNIX? (Goes to catch some flying pigs)

# Idea about address bar

Saturday, November 26, 2005 2:00 AM by DanaG
I forgot where I saw this idea first.
The idea was to make popups have a different style of address bar. Make an alternate, slim, read-only address bar that looks perhaps more like the status bar than like a text box.
That way you can still see the URL but it's unobtrusive

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Saturday, November 26, 2005 7:32 AM by EricLaw [MSFT]
Angela-- The RTSP protocol isn't provided by IE, but rather by a plugin to IE. Perhaps RealPlayer or QuickTime was removed from your system?

Amir-- The new API we've added in IE7 will make it much easier to get the certificate for the page. Of course, as noted above, any mechanism which displays logo/O information out of current certificates is potentially problematic (if the information in certificate hasn't been strongly validated by the issuer).

Iang--

<<Any security system that doesn't involve humans is generally considered weak against a motivated attacker>>

True. Of course, there's always a balance; much of security literature notes that humans are very often the weakest link.

<<The petname idea is small, easy to implement, and gives tremendous bang for buck>>

I'm in agreement that it's a clever and potentially powerful tool; I'm not sure I agree that it's more valuable than the Antiphishing service.

I spent some time talking to Tyler Close about his implementation at Blackhat this year. I'm optimistic that the new API we've added that allows plugins to grab the page's certificate will quickly lead to an IE plugin for petnames.

Huygens-- Revoked certificates will result in a blocked navigation and a full-page error notification.

Alfonso-- I believe that the window size calculations are updated to prevent inadvertent truncation of popup content.

Victor-- No one's going to delete your comment, although if you could elaborate on what you mean when you say "normal products" it might be more meaningful.

LinWinOverlord-- All versions of IE have the ability to block installation of ActiveX controls. Simply click the option in Tools | Internet Options | Security.

DanaG-- For what it's worth, I know that Opera does this. We're taking various measures to make the mandatory minimum addressbar unobtrusive.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Saturday, November 26, 2005 10:51 PM by LinWinOverlord
@Eric

Of course that is there, but do you think the average user knows about all the nooks and crannies of the system? Or even just IE? ActiveX controls can still run, but in order to access the computer, they should require special cryptographic keys for access permissions along with Administrator permission... That ensures greatest security... Of course that could be made optional... Also, you should move IE's info bar to somewhere that is locked in place because as I am browsing in FIREFOX, I saw the IE info bar appear just below the bookmark bar to install "ActiveX controls" from Yahoo!.... Maybe merge info bar with a locked status bar at bottom of screen that turns Dark Blue with white text for info bar...

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Monday, November 28, 2005 4:48 AM by Quit Smoking
It amazes me how many people still fall for phishing attempts when I'm doing awareness training.

It will be good to have something that can combine education with prevention.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Monday, November 28, 2005 6:12 AM by Joe
Any word on when BETA 2 will be released. I'm not a tester.. but i've got several projects on the go which i'd like to test in IE7.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Monday, November 28, 2005 7:27 AM by Lordmike
Joe
7th december is the date that I have seen for Internet Explorer Beta 2.

I hope that the IE team can deliver on the so far scheduled month of march 2006. :)

# images don't show

Monday, November 28, 2005 7:32 AM by vz
Images don't load, the server just waits doing nothing, so downloading the images eventually fails on timeout.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Monday, November 28, 2005 10:30 AM by EricLaw [MSFT]
<<Images don't load, the server just waits doing nothing, so downloading the images eventually fails on timeout.>>

Sorry about that. Through a quirk of our current blogging system, images are hosted on a different server which has been having problems since yesterday. We've notified the operations team.

For the moment, you can see an archive of the images here: http://www.fiddlertool.com/certs.png

# Veering off-topic

Monday, November 28, 2005 11:37 AM by Media Guy
Will IE 7 provide any specific support for podcasts, vodcasts, or torrents?

# Other vendors

Monday, November 28, 2005 11:45 AM by Craig Ringer
It's great to see you folks working with other browser vendors. I expect that'll benefit everybody.

I'm also really happy that you'll always be showing the address bar. I've long found the ability of websites to disable browser functionality to be an incredibly annoying usability problem - especially when the browser doesn't let you (eg) right click on the title bar for options to re-enable the nav bar, address bar, and so on. There are legitimate reasons to hide these UI elements by default, but I see no reason the user should not be able to bring them back.

If the user could right-click in the address toolbar to get a menu giving them the ability to re-enable the other toolbars, that'd be very nice indeed.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Monday, November 28, 2005 1:01 PM by EricLaw [MSFT]
<<Will IE 7 provide any specific support for podcasts, vodcasts, or torrents?>>

IE hasn't announced any plans to natively operate on torrents, although, of course, existing torrent plugins for IE should continue to work.

As for *-casting features, you might take a look at our RSS team's blog: http://blogs.msdn.com/rssteam/default.aspx

# Other ways to identify good/bad sites

Monday, November 28, 2005 3:16 PM by Brian
From what little I have read, it appears that the "colors" and other notification mechanisms proposed and debated here come from a hosted repository of known phishing sites or if a site has a suspicious SSL certificate. Is this the gist of the various proposals?

If so, does this go far enough or are there a few other techniques that can be used to minimize risk when a site/URL has yet to be "graded/rated" or if the naughty site is not using SSL in guarding form posts?

And are we putting too much burden on CA's to manage more than the identity of a web site has not been stolen? Since the identity of the content is much stronger than any URL, does this mean that a CA has to inspect the pages of a site in addition to the owner and location of the site to make sure it isn't infringing or copying another?

Some people suggest that navigating to domains that have been up for only a short time (or have no registered DNS name - IP address only) should result in a warning. While this might help a bit, it won't be long before an evildoer will figure out how to hoard domains and "ferment" them much like one would age a wine.

Has there been any thought or discussion amongst both the browser world and the http server world on other techniques for identification of sites in the absence of SSL?

For example, is it time to resurrect PICS and use signed labels to rate sites. One could then use PICSRules to filter them, color them, or iconify them in various ways (with good defaults of course)? The idea being that a site must create a label that describes it (mostly meaningless unless site filtering becomes popular) and then signs the label. The lack of such a label makes a site suspect. A signed label that isn't signed by a trusted CA gets a big warning. A label that is not properly signed (likely stolen or missing a signature) gets a big error.

Obviously, there are other ways to do this, but at present, outside of SSL, there is no way for sites to actively support the rating and securing of their content/brand/images other than using SSL properly and hoping you guys treat them nicely.

# re: Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Monday, November 28, 2005 6:22 PM by David Conrad
I'm glad MS is being bold and working from a clean slate when thinking about the colors, rather than being limited by what is already out there. And kudos for working with the other browsers. But the confusion over yellow will be real, and I would propose addressing it by building consensus around red/yellow/green, and then phasing in the rollout as follows:

If Firefox, Opera, and Konqueror can get green in in the near term (say, for Firefox, in 1.5 or 1.5.1), then IE7 can be released with the new color scheme.

But let's say that it will take longer for adoption by the other browsers, or we want to have a delay to "cleanse the palate" of the users, give them time to upgrade, and let them forget that yellow used to be good. IE7 could be released with red and green, but leave the suspicious sites white for the time being. Then, when the time was ripe, a minuscule Windows Update could activate the dormant yellow in IE7.

Re yellow - it was chosen to match the lock icon, but red/yellow/green is a powerful meme.

Re rotating the CA - this is good; users initially won't know Contoso from Callahan's, but they will become accustomed to seeing a particular name alternating with the name of their bank. But it must be noticeable but not demanding! (of the user's attention)

I want to second what Craig said: give the user a way to get the chrome back (and restore resizability and scrolling) in ANY popup.

Eric: I think the typo Brett was referring to may have been "bellow" for "below&q