Results 1 to 4 of 4

Thread: Microsoft's Transport Layer Security

  1. #1
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004

    Microsoft's Transport Layer Security

    Too little too late?

    Microsoft plans to discontinue the use of the SSLv2 (Secure Socket Layer) protocol in the coming Internet Explorer browser refresh.

    In its place, he company will fit the stronger TLSv1 (Transport Layer Security) protocol into IE 7 as part of an overall plan to improve the security and user experience for HTTPS connections.

    Microsoft Corp. made the announcement on its official IE Blog where a call to action was issued for Web site owners to make the necessary configuration changes to permit the new protocol connections.

    Eric Lawrence, a program manager on the IE team, also warned that the new browser will block navigation to HTTPS sites that present problematic digital certificates.

    "Upon encountering a certificate problem, IE7 presents an error page that explains the problem with the digital certificate. The user may choose to ignore the warning and proceed in spite of the certificate error (unless the certificate was revoked)," Lawrence explained.

    "If the user clicks through a certificate error page, the address bar will flood fill with red to serve as a persistent notification of the problem," he added.

    The UI change will occur is a certificate is issued to a hostname other than the URL's hostname; if a certificate is issued by an untrusted root; or if the certificate is expired or revoked.
    MS Details More IE 7 Security Goodies

  2. #2
    Join Date
    Apr 2003
    Hmmm ... Using TLS is a good thing. Blocking access based on certificate isn't necessarily a good thing. Those using the PGP, OpenCA, OpenSSL self-signed or cross-linked certificates and not using commercially "approved" certificates may become disenfranchised by this methodology.

    Well, until they use something besides IE.

  3. #3
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    One key change is that Explorer will disable SSLv2, an older version of the Secure Sockets Layer (SSL) protocol. SSL is used to carry out secure Web transactions. In its place, Explorer 7 will continue to support SSLv3 and will enable Transport Layer Security (TLS) v1, a newer protocol.

    The change means that sites currently requiring SSLv2 will need to allow either SSLv3 or TLSv1, Microsoft said on its Internet Explorer Weblog, part of the Microsoft Developer Network.

    Some Sites Need Updates

    Microsoft downplayed the possible disruption caused by the change.

    "It's a silent improvement in security. Our research indicates that there are only a handful of sites left on the Internet that require SSLv2," writes IE program manager Eric Lawrence on the blog. "Adding support for SSLv3 or TLSv1 to a website is generally a simple configuration change."

    The company said security is a priority for the Explorer update, and has been soliciting suggestions for improvement--even from hackers.

    SSLv2 was the first public version of SSL, and suffers from several well-known weaknesses--for example, it doesn't provide any protection against man-in-the-middle attacks during the handshake, and uses the same cryptographic keys are used for message authentication and for encryption. These and other problems have been fixed in SSLv3, but the older version is still supported by most browsers and is in use on some systems.

    IE 7 will introduce some changes to the user experience, including blocking navigation to sites with problematic security certificates. The problems include certificates issued to a hostname other than the current URL's hostname--for example, secure.example.com instead of www.example.com; the certificate issued by an untrusted root; and expired or revoked certificates.

    Instead of giving the user a dialog box asking how to resolve these problems, as IE currently does, the browser will present an error page explaining the problem. The user can, however, choose continue to browse the site, unless the certificate has been revoked, Lawrence said. If the user continues on, the address bar will be colored red as a reminder of the problem.

    "Ensure that the hostnames used for your secure pages exactly match the hostname in your digital certificate," Lawrence advised.

    Other Security Changes

    If a page includes both secure and non-secure items, the user will no longer be initially given the option of displaying the non-secure items. Instead, only the secure items will render, and users will have to manually request that the nonsecure items be rendered.

    Lawrence said this could head off future types of attacks. "Very few users (or Web developers) fully understand the security risks of rendering HTTP-delivered content within a HTTPS page," he wrote.

    Other changes include the inclusion of AES security in Windows Vista and certificate revocation checking being enabled by default in Vista, Lawrence said.

    A change to Vista's Transport Layer Security (TLS) implementation could cause problems for some sites. TLS will be updated to support Extensions, a feature that can cause some non-standards-compliant TLS servers to refuse connections, Lawrence said.

    "If your site supports TLS, please ensure that it has a standards-compliant implementation of TLS that does not fail when extensions are present," he wrote.
    PCWorld.com - A Peek at IE7's New Security

  4. #4
    Ninja Code Monkey
    Join Date
    Nov 2001
    Washington State
    They most likely will not just block it, but give you the option to do so via the ie configuration settings and gp.
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts