SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

re: SSL, TLS & a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

AGMW — Wed, 18 Oct 2006 20:35:46 GMT

At what time can we expect Final to be released by Microsoft? Yahoo has already released their optimized version for Final!

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

sonu27 — Wed, 18 Oct 2006 21:06:03 GMT

Yeah, please release it as soon as possible, I do have to go to sleep, but I want it today. I'm in the UK.

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

F. Gaertner — Wed, 18 Oct 2006 21:14:59 GMT

And I live in Germany. Here it's now 8pm but in Redmond it's 11am (nearly 13 hours remaining, until October, 11th ;-)).

Web.de and some other pages say, that the IE7 is already released - but always with the "warning" that IE7 _RC1_ only works on XP SP2. So, this isn't the final, is it? Why do they tell "lies"? That's stupid.

OK, let's wait... Maybe Bill Gates is sleeping until 12pm :-/

Grettings from Germany

F. Gaertner

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

Fduch — Wed, 18 Oct 2006 21:44:32 GMT

As I always said: the testers are the last to get the products.

When I was testing Windows Vista there were situations where you could get working Vista from some illegal server or wait days before it appears on connect.

Now we see how important for Microsoft Yahoo users are. They are much more important than Microsoft customers. I know this strategy. You do everything to attract new customers while forgetting about their existing customers. ("They are already our customers. They are unlikely to run away.")

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

Marc — Wed, 18 Oct 2006 22:20:38 GMT

Will you include a registry setting to change the handling of mixed content from the default to the more secure method you reverted from with RC1?

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

joe user — Wed, 18 Oct 2006 22:33:14 GMT

IE 7 is out. Yahoo is bundling it here. You can manually unbundle it and just get IE 7 if needed.

http://downloads.yahoo.com/internetexplorer/index.php

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

sonu27 — Wed, 18 Oct 2006 22:35:34 GMT

You can download the Yahoo version, then using WinRAR extract the IE7 setup, without the branding. But I would rather wait for the offical version.

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

Baowoulf — Wed, 18 Oct 2006 22:47:20 GMT

Weird. I would have thought that Microsoft wouldn't let any third parties release it's browser until after it had already official released it.

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

Jerry — Wed, 18 Oct 2006 22:51:34 GMT

Thats just crazy the Yahoo has IE7 before Microsoft does. I have been waiting all day to get it pushed it out.

/Shame/Shame

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

Michael W — Wed, 18 Oct 2006 22:57:12 GMT

I have to agree with the last post . But then i like the fact that yahoo as it on there website for full download . But like this last post was saying . I'm going to just wait for it in the windows updates.

ieblog.com

steve — Wed, 18 Oct 2006 23:05:27 GMT

I usually type IEblog in the title bar to get the site, but now it goes to ieblog.com and incorporates your content.

Anyhow, no change of getting the "height=100% inside a TD bug" fixed, eh? Sigh..

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

Singh400 — Wed, 18 Oct 2006 23:17:59 GMT

I know this is offtopic, but is there anyway way to slipstream IE7 into an XP SP2 installation CD? The normal methods don't work for me (using the /integrate or -s switch).

Nice work on IE7, I love it! I seem to be in the minority lol.

-Singh400

re: Release

Brian McMahon — Wed, 18 Oct 2006 23:30:33 GMT

I want to compliment everyone involved in the development of IE7. It is a vast improvement. You, and the rest of MS, also deserve praise for the openness shown through the involvement of the public in the betas and the open blogs.

But it's just for those reasons why I am disappointed that I had to get the final version of IE7 through Yahoo and there was not a single mention of it on this page. Despite this gaffe, please keep up the openness (and suggest to the Vista team that they reopen the RC2 program to everyone who had been sent a product code).

[MSFT:IE7] On Security, Compatibility, Extensibility, Community, and Open Source Syndication

O'Reilly XML Blog — Wed, 18 Oct 2006 23:37:27 GMT

IEBlog : SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility Obsolete controls disabled through ActiveX opt-in An important part of the ActiveX opt-in feature is doing good housekeeping of the ActiveX controls that..

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

jace — Thu, 19 Oct 2006 00:02:49 GMT

x64 version? I can get the 32-bit final from the yahoo file, as mentioned, but whither the x64?

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

Jerry — Thu, 19 Oct 2006 00:21:15 GMT

I tried that IE/Yahoo hack and I don't have tabbed browsing or a search bar. It looks alot like IE6.

standalone

steve — Thu, 19 Oct 2006 00:21:57 GMT

I know this if off topic, but after IE7 goes out, it would be great if you could package up IE6 as a single standalone file so we can do testing on it. I know the only supported method is to use VPC (which is now free), but for those of us that do not work at Microsoft, we don't have original XP discs around. My 7 month old HP came with disks that will only work with their own machines, and VPC doesn't fake that part, so the only way for me (or anyone else) to have both IE6 and IE7 is to buy another copy of Windows. Want to send me a copy?

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

Lewis Francis — Thu, 19 Oct 2006 00:24:31 GMT

If you already had the release candidate, Yahoo's installer first rolls back to IE6; you have to then run the Yahoo installer again to get their customized version.

re: standalone

Nate — Thu, 19 Oct 2006 00:31:37 GMT

http://browsers.evolt.org/?ie/32bit/standalone

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

Pari — Thu, 19 Oct 2006 00:45:36 GMT

....as secure as possible but still compatible with the "Internet".

What?

I'm tempted to make /. style comment, but won't.

Read. Edit. Post.

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

Jerry — Thu, 19 Oct 2006 01:00:53 GMT

@Lewis Francis

That was strange, the version was still showing IE7.

/Thats what I get.

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

David William Wrixon — Thu, 19 Oct 2006 01:06:59 GMT

So what time to tomorrow is the Senior Management butt kicking contest?

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

Fduch — Thu, 19 Oct 2006 02:00:57 GMT

Thiking that they'll post here on IEblog when IE7 comes out was stupid.

Go, get it at MS site.

Cry looking at crushing browser with unfixed bugs. Rememer: "That's what you have asked for."

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

Fduch — Thu, 19 Oct 2006 02:27:19 GMT

Ha-ha

As I thought. No improvement.

All the bugs are still there.

Broken unicode (Win95 era anyone?)

etc

Almost forgot. Despite the bugs on connect are often closed "randomly" there are still more than 1700 bugs. !!! It's much more than in Windows Vista. Compare the sizes. 1 bug for every 8kb of the installer. And to think how many important bugs were closed "just because"...

Overall I'm very disappointed with IE7 beta process. It looked like war between IE users/testers/web-developers vs. MS&IE7 team. Testers open bugs - MS closes them. Who wins?

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

Baowoulf — Thu, 19 Oct 2006 02:30:14 GMT

It's still the RC1 on the MS site.

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

Fduch — Thu, 19 Oct 2006 02:39:25 GMT

I think this page links to RTM. Can't confirm because it says I already have IE7.

http://www.microsoft.com/windows/ie/default.mspx

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

Fduch — Thu, 19 Oct 2006 02:42:51 GMT

http://go.microsoft.com/fwlink/?LinkId=74211

you can get it here.

But I will get TruE IE7 here: http://maxthon.neo101.nl/featureguide/maxthon2newFeatures.html

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

Baowoulf — Thu, 19 Oct 2006 02:51:17 GMT

You're right it is up now. I've just been putting IE7 into my search engine and RC1 page had always been the first page up but going through microsoft.com I see the final version is available now.

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

goose — Thu, 19 Oct 2006 14:57:07 GMT

I trust MICROSOFT with my security because they care about what I search for; unannounced connections (picked up by my non-Microsoft firewall) connecting to sa.windows.com in Windows XP everytime I do a LOCAL search on my drive, they show they care in their own special way!!!

I love Microsoft!!!! I am sure IE7 has the my best interests at heart and strikes the RIGHT balance where others have come & failed!!!!!

Remember only Microsoft can protect us on the net. IE7 makes that possible!!!!

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

EricLaw [MSFT] — Fri, 20 Oct 2006 07:39:44 GMT

@Goose: The sa.windows.com request returns an XML file about search providers.

If you're curious to see the data, you can view it in Fiddler, a free HTTP monitor available from www.fiddlertool.com.

TLS and SSL in the real world

IEBlog — Sat, 21 Oct 2006 01:03:55 GMT

Quite a bit has been written about the Secure Sockets Layer (SSL) protocol and its successor Transport

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

Jeff — Sat, 21 Oct 2006 01:32:47 GMT

But seriously, anyone have info about slipstreaming ie7 into an xpsp2 install? not that I'm chomping at the bit to turn the world over to Microsoft, but i'm repacking my unattended install and figure this would make a good side project. is the genuine authentication cr** that holds up the switches?

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

John Hrvatin [MSFT] — Sat, 21 Oct 2006 01:54:47 GMT

Jeff,

IE7 cannot be slipstreamed into XPSP2. For deployments, you have to boot into XP, install IE7, and then use sysprep to repackage the machine or an imaging solution.

Thanks.

John [MSFT]

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

Jeff — Sat, 21 Oct 2006 18:41:51 GMT

@John (MSFT)

Ah so.....thank you :-)

Using the right version of MSXML in Internet Explorer

Microsoft XML Team's WebLog — Tue, 24 Oct 2006 04:32:34 GMT

I’ve been working closely with the IE team leading up to the release of IE7 and looking at the use of

re: SSL, TLS and a Little ActiveX: about mixed content and security

PSchuetz — Wed, 25 Oct 2006 03:41:31 GMT

Hi there,

lol, you must really shame, that is really lame!

You complain about webpages/webmasters which configured to loading mixed content (secure and not secure), but your very own webpage (this blog) does mix content, if I want to connect through an secure connection on this blog: https://blogs.msdn.com/ie/..

That is very bad!

You should fix that very soon and fast or you can't complain about others..

best regards,

PSchuetz

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

EricLaw [MSFT] — Wed, 25 Oct 2006 04:39:32 GMT

@PSchuetz: Perhaps you might want to read the article again. The entire point is that there are cases where there's no ready workaround for mixed content:

<<many of today’s blog publishing packages depend on the ability to mix http content into an https-based outer page.>>

<<straightforward fixes are not always available>>

In this particular case, there's a very easy workaround: Don't use HTTPS to access the IEBlog. There's no private data here, and hence using HTTPS just results in wasted cycles and overhead.

MSXML5...Not in This IE

IEBlog — Fri, 27 Oct 2006 22:00:23 GMT

Some of you may have noticed the following goldbar on some websites: Our friend Adam on the XML team

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

Billy — Fri, 27 Oct 2006 22:03:33 GMT

Hi there,

I don't understand what Microsoft's deal is with that popup of mixed content. Mixed content is ok.

There is nothing wrong with having some mixed content, like css, js, images. Where there is a problem is when FORMS are submitted using a http address when a user navigated to a https url. A user does not know that the content that is being submitted is submitted "unsecurely". This is when a message needs to be displayed. Poping up that message when an image like your logo is on http not logical. It's like saying I'm going to secure my house by putting a lock on the front door. Now everything I access must have a lock, why would you need to lock everything in your house if the front door is locked? Secondly, for a site to be secure in needs to be, I stress again, needs to be both https and have an authentication system on each entry point. Meaning, if you are going to use ssl on a site you must have authentication validation on it's entry points. Just having authentication is not enough when you are running on http and just having ssl on you urls is not enough. Someone can still access your information.

That's my idea, I hope they change it because right not it just doesn't make sense to me.

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

EricLaw [MSFT] — Fri, 27 Oct 2006 22:27:21 GMT

@Billy: You should read http://blogs.msdn.com/ie/archive/2005/04/20/410240.aspx

The danger of mixing insecure JS into HTTPS is that a man-in-the-middle could replace the insecure HTTP script with script of his choosing. Javascript can completely rewrite the page, meaning that it's no longer secure.

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

Billy — Fri, 27 Oct 2006 23:10:50 GMT

@EricLaw

Ok, I didn't think of that. However, the message is too scary for "regular" users. As you point out there are two vulnerabilities. The html page and the javascript, these are the things that need to be secure, when they are not then popup the message. What about the images and the css and other content that can't rewrite the page, are they vulnerable for attack?

Thanks for the link

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

beezus9 — Sat, 28 Oct 2006 02:36:00 GMT

Is there a quick way to determine which elements on the page are not secure?

I am maintaining a site developed by someone else. The forms have mixed content (according to IE). I would like users to not get the warning pop-up.

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

EricLaw [MSFT] — Sat, 28 Oct 2006 03:30:33 GMT

@Beeszus9: In some cases, you can determine what's insecure by simply clicking "No" to mixed content and determining what content is missing. The more rigorous approach is to use Fiddler (www.fiddlertool.com), and watch for the HTTP requests.

@Billy: Well, CSS can materially alter the display of a page, and while images can't rewrite the page, they can be used to fool the user. The problem is that the browser has no way of knowing "Hey, this image is meaningless and it doesn't matter if a bad guy tampers with it" vs "This image is a snapshot of the user's stock portfolio, and if a bad guy were to tamper with it, the user may take an unsafe action (e.g. selling all of his stock or whatnot).

Mixing insecure content into HTTPS pages simply is not safe.

Mr.

Frank Smith — Sun, 29 Oct 2006 20:48:24 GMT

Promotion on Microsoft 7 Looked intresting, did

not research SSL TLS Etc enough to give an openion.

Anxious to find out where my end will end UP.

Frank

re: SSL, TLS and a Little ActiveX: How IE7 Strikes a Balance Between Security and Compatibility

Frank Smith — Sun, 29 Oct 2006 21:21:52 GMT

I really dont know how to respond to no responces. Never had any experiances talking to people with Cronic LockJaw and very poor writing instructions. I am here because of having a Deep intrest in what makes things work and how i may make them better and

boredom of retirement. Should you Folks ever deside to come out of the Closit, i would be pleased to Know what your plans are. I think you have been FUNNING me about my Micro's so we don't have to worry about that Issue. The BLUE Grass Pastures are the best and where I need to be. Frank

IE8 and Trustworthy Browsing

IEBlog — Wed, 25 Jun 2008 03:40:17 GMT

This blog post frames our approach in IE8 for delivering trustworthy browsing. The topic is complicated

在Internet Explorer中正确使用MSXML

SQL中国研发中心 — Tue, 04 Nov 2008 09:25:34 GMT

我参与了IE7的开发过程，看到了在IE浏览器中形形色色使用MSXML的方法。显然有一些东西困扰着开发者：MSXML“混乱”的版本以及如何创建“正确”的实例。下面是一段非常常见的代码： if (Web.Application.get_type()

在Internet Explorer中正确使用MSXML

SQL中国研发中心 — Tue, 04 Nov 2008 09:26:26 GMT

在Internet Explorer中正确使用MSXML

SQL Server — Wed, 05 Nov 2008 06:28:24 GMT

我参与了IE7的开发过程，看到了在IE浏览器中形形色色使用MSXML的方法。显然有一些东西困扰着开发者：MSXML“混乱”的版本以及如何创建“正确”的实例。下面是一段非常常见的代码： if (Web.Application

Internet Explorer 8 보안 5부 : 통합 보호

IE8 팀 블로그 — Tue, 17 Mar 2009 12:01:19 GMT

안녕하세요! 저는 인터넷 익스플로러 보안 프로그램의 책임자인 에릭 로렌스라고 합니다. 지난 화요일, 딘(Dean)이 신뢰성 높은 브라우저 에 대한 저희의 생각을 포스팅했었죠. 오늘