There are some more interesting security improvements in Internet Explorer 7. In short, they are:
- If you use IE7 to browse a site using basic authentification on a non-secured connection (i.e. not using SSL or TLS), you will now get a warning that your username and password will be sent in an insecure manner. Though the details are encrypted using base64 encoding, the average home desktop computer can crack this in no time at all so it’s a bit of a security risk.
- IE6 currently supports three cipher levels for SSL: 40-bit, 56-bit and 128-bit. In IE7, SSL connections will only be able to use 128-bit, and TLS connections can use 256-bit, which Firefox and Opera already offer. 40-bit ciphers are known to be insecure.
- Changes to cross-site scripting between different zones. In IE6, if you have a page in your trusted zone which imports a script from the restricted zone, the script will run in the trusted zone. In IE7, the source of the script is respected, so any scripts imported from the restricted sites zone will run with reduced priviledges.
Most of this merely brings IE7 in line with the competition, but the first idea is unique as far as I can tell. It’s a good one since a reasonable packet sniffer could be used to capture these passwords very easily, in, say, a public Wifi hotspot, since they have their own HTTP header, and if it encourages more sites to move to secure connections then the internet will be better for it.