Share via

HTTPS Security Improvements in Internet Explorer 7

  • Article

Eric Lawrence
Microsoft Corporation

January 31, 2006

Introduction

HTTPS uses encryption to secure your Internet traffic to protect it from snooping or tampering by others on the network. HTTPS uses either the Secure Sockets Layer (SSL) or the Transport Layer Security (TLS) protocols to protect data.

In order to improve security and add new functionality, changes have been made to the HTTPS implementation in Windows Internet Explorer 7. New protocol defaults in IE7 reduce the likelihood of someone taking advantage of configuration or protocol weaknesses to intercept or modify Web traffic transferred using the HTTPS protocol. New error pages provide a simplified user experience which helps to mitigate social-engineering and phishing attacks.

This article will help you understand how to address the compatibility impact of changes to HTTPS in IE7.

Understanding the Compatibility Impact

End User or Network Administrator

As a user of Internet Explorer, you may experience compatibility impact of HTTPS Security Improvements in the following ways:

  • Symptom: When viewing a site that is configured to only SSLv2, an error page is displayed.

    Cause: The SSLv2 protocol has been disabled by default in Internet Explorer 7. The SSLv2 protocol has known security weaknesses and has been deprecated by the SSLv3 and TLSv1 protocols.

  • Symptom: When viewing an HTTPS site that is configured to use weaker ciphers (40-bit and 56-bit encryption) on Windows Vista, an error page is displayed.

    Cause: On Windows Vista, weak encryption ciphers have been disabled and only stronger ciphers are enabled by default.

  • Symptom: When navigating to an HTTPS site which presents a security certificate containing errors, an error page is displayed.

    Cause: To improve security and the user experience, IE7 blocks navigation to HTTPS sites which present security certificates containing errors.

    This change replaces the modal dialog box shown in IE6.

  • Symptom: When viewing a page that mixes HTTPS and HTTP content, an Information bar is displayed instead of a modal dialog as was shown in Internet Explorer 6 and earlier.

    Cause: To improve security and the user experience, IE7 blocks HTTP content from display in HTTPS pages by default.

    This change replaces the modal dialog box shown in IE6.

  • Symptom: When navigating to an HTTPS site on Windows Vista, a check for certificate revocation is made to determine if the presented certificate remains valid.

    Cause: Performance improvements and support for the OCSP protocol were made to Windows Vista, enabling IE7 on Windows Vista to improve security by enabling revocation checking by default.

Web site Developer

As a Web site developer, you may experience compatibility impact of HTTPS Security Improvements in the following ways:

  • Symptom: When viewing a site that is configured to permit only SSLv2, an error page is displayed.

    Cause: The SSLv2 protocol has been disabled by default in Internet Explorer 7. The SSLv2 protocol has known security weaknesses and has been deprecated by the SSLv3 and TLSv1 protocols.

  • Symptom: When viewing an HTTPS site that is configured to use weaker ciphers (40-bit and 56-bit encryption) on Windows Vista, an error page is displayed.

    Cause: On Windows Vista, weak encryption ciphers have been disabled and only stronger ciphers are enabled by default.

  • Symptom: When navigating to an HTTPS site which presents a security certificate containing errors, an error page is displayed.

    Cause: To improve security and the user experience, IE7 blocks navigation to HTTPS sites which present security certificates containing errors.

    This change replaces the modal dialog box shown in IE6.

  • Symptom: When viewing a page which mixes HTTPS and HTTP content, an Information bar is displayed instead of a modal dialog as was shown in Internet Explorer 6 and earlier.

    Cause: To improve security and the user experience, IE7 blocks HTTP content from display in HTTPS pages by default.

    This change replaces the modal dialog box shown in IE6.

Application Developer

As an application developer, you may experience compatibility impact of HTTPS Security Improvements in the following ways:

  • Symptom: When using WININET to connect to an HTTPS site that is configured to only permit SSLv2, an error is returned.

    Cause: The SSLv2 protocol has been disabled by default in WININET. The SSLv2 protocol has known security weaknesses and has been deprecated by the SSLv3 and TLSv1 protocols.

  • Symptom: When using WININET to connect to an HTTPS site that is configured to use weaker ciphers (40-bit and 56-bit encryption) on Windows Vista, an error is returned.

    Cause: On Windows Vista, weak encryption ciphers have been disabled and only stronger ciphers are enabled by default.

  • Symptom: When using WinINET to connect to an HTTPS site on Windows Vista, a check for certificate revocation is made to determine if the presented certificate remains valid.

    Cause: Performance improvements and support for the OCSP protocol were made to Windows Vista, enabling WININET to improve security by enabling revocation checking by default.

How to work around the compatibility impact

End User

As a user of Internet Explorer 7, you can work around the compatibility impact of HTTPS Security Improvements in the following ways:

  • Symptom: When viewing a site that is configured to permit only SSLv2, an error page is displayed.

    Workaround: SSLv2 may be enabled by checking the Use SSL 2.0 checkbox in the Security section of the Advanced tab of the Internet Control Panel.

    You can show the Internet Control Panel by clicking Tools | Internet Options inside Internet Explorer.

  • Symptom: When viewing an HTTPS site that is configured to use weaker ciphers (40-bit and 56-bit encryption) on Windows Vista, an error page is displayed.

    Workaround: No recommended workaround is available. Contact the site owner and request that they offer stronger encryption options.

  • Symptom: When navigating to an HTTPS site which presents a security certificate containing errors, an error page is displayed.

    Workaround: There is no workaround if the site's certificate is expired; contact the site owner and request that they update the certificate.

    If the address in the certificate does not match the site's address, this warning can be disabled by unchecking the Warn about invalid site certificates checkbox in the Security section of the Advanced tab of the Internet Control Panel. Changing this setting is NOT recommended.

    If the certificate was not signed by a trusted certification authority, you can add the certification authority if you trust the authority. Trusting a malicious certification authority will put your computer at risk, so use discretion. To add a Trusted certification authority, continue navigation from the Certificate Error page, and then click the Certificate Error button in the Internet Explorer address bar. Click the View Details link. On the Certification Path tab, select the root certificate and click the View Certificate button. On the General tab, click Install Certificate.

  • Symptom: When viewing a page that mixes HTTPS and HTTP content, an Information bar is displayed instead of a modal dialog as was shown in Internet Explorer 6 and previous.

    Workaround: On the Security tab of the Internet Control Panel, choose the Internet icon and click Custom Level. Scroll down to the Miscellaneous section, and adjust the value for the Display mixed content setting.

    Changing this setting to Disable will block all HTTP content without prompting.

    While not recommended, changing this setting to Enable will show all HTTP content without prompting.

  • Symptom: When navigating to an HTTPS site on Windows Vista, a check for certificate revocation is made to determine if the presented certificate remains valid.

    Workaround: If this feature causes performance problems in your environment, the certificate revocation check can be disabled.

    You can disable this feature by unchecking the Check for server certificate revocation checkbox in the Security section of the Advanced tab of the Internet Control Panel.

Network Administrator

As a network administrator of systems running Internet Explorer 7, you can work around the compatibility impact of HTTPS Security Improvements in the following ways:

  • *Symptom:*When viewing a site that is configured to permit only SSLv2, an error page is displayed.

    *Workaround:*Alternatively, SSLv2 may be enabled by checking the Use SSL 2.0 checkbox in the Security section of the Advanced tab of the Internet Control Panel.

    You can use the IEM to control the user preference key. HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings, SecureProtocols is a REG_DWORD which is a bitmask of what secure protocols are supported.

    • The SSLv2 flag is 8 (0x008).
    • The SSLv3 flag is 32 (0x020).
    • The TLSv1 flag is 128 (0x080).

    Hence, if all protocols are enabled, the value is 0x0A8.

  • Symptom: When viewing an HTTPS site that is configured to use weaker ciphers (40-bit and 56-bit encryption) on Windows Vista, an error page is displayed.

    Workaround: Configure the Web server software to offer stronger encryption options. If the Web server is not in your control, contact the server operator.

  • Symptom: When viewing a page that mixes HTTPS and HTTP content, an Information bar is displayed instead of a modal dialog as was shown in Internet Explorer 6 and earlier.

    Workaround: On the Security tab of the Internet Control Panel, choose the Internet icon and click Custom Level. Scroll down to the Miscellaneous section, and adjust the value for the Display mixed content setting.

    Changing this setting to Disable will block all HTTP content without prompting.

    While not recommended, changing this setting to Enable will show all HTTP content without prompting.

    Alternatively, to configure this feature using Group Policy, start GPEdit.msc. Under Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone, choose Display Mixed Content. Select the radio button labeled Enabled to activate the policy, and choose Enabled in the drop-down box.

  • *Symptom:*When navigating to an HTTPS site on Windows Vista, a check for certificate revocation is made to determine if the presented certificate remains valid.

    Workaround: If this feature causes performance problems in your environment, the certificate revocation check can be disabled.

    You can disable this feature by unchecking the Check for server certificate revocation checkbox in the Security section of the Advanced tab of the Internet Control Panel.

    Alternatively, to configure this feature using Group Policy, start GPEdit.msc. Under Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page\Internet Zone, click Check for server certificate revocation. Choose Disabled to prevent revocation checks from occurring.

Web site Developer

As a Web site developer for sites viewed with Internet Explorer 7, you can work around the compatibility impact of HTTPS Security Improvements in the following ways:

  • Symptom: When viewing a site that is configured to permit only SSLv2, an error page is displayed.

    Workaround: Enable SSLv3 or later in your Web server software.

  • Symptom: When viewing an HTTPS site that is configured to use weaker ciphers (40-bit and 56-bit encryption) on Windows Vista, an error page is displayed.

    Workaround: Enable strong ciphers (128-bit or higher) in your Web server software.

  • Symptom: When navigating to an HTTPS site which presents a security certificate containing errors, an error page is displayed.

    Workaround: Ensure that you are using valid, non-expired security certificates issued by a trusted root certification authority.

    Ensure that the address in the certificate matches the certificate for your site. This is particularly important for servers which are addressable by multiple hostnames.

    For instance, a certificate issued to email.example.com is not valid for use on mailbox.example.com. To correct the problem, either purchase a certificate that lists both hostnames, or purchase a wildcard certificate for *.example.com.

  • Symptom: When viewing a page which mixes HTTPS and HTTP content, an Information bar is displayed instead of a modal dialog as was shown in Internet Explorer 6 and earlier.

    Workaround: Ensure that HTTPS pages do not contain embedded references to resources addressed by the HTTP protocol.

    Tip: If you have a page which can be viewed in either HTTP or HTTPS, use protocol-relative hyperlinks to address resources.

    For instance, consider a page at www.example.com/account.htm that is addressable via either https://www.example.com/account.htm or https://www.example.com/account.htm that contains a single image.

    Instead of <img src="https://www.example.com/pic.jpg">, use <img src="//www.example.com/pic.jpg">.

    When the user views account.htm via HTTPS, then pic.jpg will be downloaded via HTTPS. When the user views account.htm via HTTP, then pic.jpg will be downloaded via HTTP.

Eric Lawrence is a program manager on the Internet Explorer team.