IE7 to Beef Up Secure Web Surfing

Internet Explorer 7 will come with several security enhancements to HTTPS connections, a Microsoft program manager said on the IE Blog over the weekend. Chief among the changes is the disabling of the SSLv2 protocol by default in favor of the stronger-encryption available through TSLv1.

"Generally, IE users will not notice any difference in the user-experience due to this change; it's a silent improvement in security," program manager Eric Lawrence wrote. He said that few sites still require SSLv2, and upgrading to SSLv3 or TSLv1 is generally a simple migration on most sites.

Also, when dealing with secure sites whose certificates are not valid, IE7 by default will err on the side of caution and block access much like Windows XP Service Pack 2 already does. A certificate that was either issued to a different hostname than the one visited, issued by an untrusted root, or was revoked or expired would trigger such an event.

Lawrence added that Windows Vista will take the enhancements in IE7 even further, with stronger encryption and tighter security certificate policies.

The Internet Explorer development team has also issued a call for action to ensure secure sites are offering users the highest encryption available and that their security certificates are valid.

"If your site supports TLS, please ensure that it has a standards-compliant implementation of TLS that does not fail when extensions are present. Testing for a non-compliant TLS server is as simple as navigating to any HTTPS page on the server using IE7 on Vista Beta 2," Lawrence wrote.

"Thanks for your help in securing the Web."