Neil Turner's Blog

Blogging about technology and randomness since 2002

IE7 and HTTPS

The latest post on IEBlog details how secure sites will be handled. It’s interesting stuff – here’s a summary:

  • Support for sites using SSL v2 will be off by default. SSL v2 is an older, unsecure version of SSL only used by a handful of sites – most now use SSL v3 or TLS. As far as I know MoFo are also moving away from SSL v2 (see this weblog posting by Gervase Markham) and I imagine others will follow. I’ve had SSL v2 turned off for some time now and not encountered any problems while browsing.
  • Sites with certificates that have problems (wrong URL, untrusted root, expiration or revocation) will now show an error page instead of a modal popup dialog. The user can choose to ignore the error, unless the certificate has been revoked, and the address bar will turn red.
  • If a page has a mix of secure and insecure content, then the secure content will be shown and the insecure content hidden, with the information bar at the top appearing to notify the user of this and letting them optionally enable it. This is very welcome as I don’t like the modal yes/no box, and I’m sure about 90% of web browser users neither know what the error is about or indeed care about it. Firefox should do this too – you can tell it not to alert you to this kind of problem in future but, and I quote, very few users (or web developers) fully understand the security risks of rendering HTTP-delivered content within a HTTPS page.
  • When run under Windows Vista, AES 256-bit encryption will be supported, which brings it level with Firefox which already supports this higher level of encryption. From what I gather, Windows XP users of IE7 will only be able to browse secure sites with weaker 128-bit encryption, though in reality I don’t think it matters hugely as neither can be broken as far as I know.

As much as I like to evangelise Firefox it’s good to see IE7 making progress, and there have been some really good ideas going into the product. It will certainly make the browser wars more interesting, and hopefully drive innovation in the browsers further. I’ve been playing around with Flock over the weekend after a tip-off from Daisy and while it didn’t win me over straightaway it looks like it has potential.
On the Firefox front, we can expect Firefox 1.5 Release Candidate 1 on Friday, from what I’ve heard. The final release really shouldn’t be far away now – it would be nice if it was released on November 9th as that would be exactly one year since 1.0. But as OpenOffice.org didn’t quite make its 5th birthday for the release of version 2.0, I’d rather that MoFo wait until after then if there are any lingering showstopping bugs, but if it’s possible then it’d be cool 🙂 .
And now I’m off to bed, since I’m going to be wandering around Ilkley Moor (possibly singing this song) tomorrow. In the rain… :-/

2 Comments

  1. I like the idea of rendering only the secure HTTPS parts of web pages too. Firefox should really do that as well.
    The joys of competition eh? Without Firefox, IE7 may have never seen the light of day…or at least not this soon.

  2. Burning bullet points

    I’m currently working on a GCSE Business Studies and GCSE Maths. I’m enjoying Business Studies more than Maths.
    My first proper post after converting from Blogger to WordPress. I must say, WP is a heck of a lot more flexible than Blogge…