Microsoft plans to discontinue the use of the SSLv2 (Secure Socket Layer) protocol in the coming Internet Explorer browser refresh.
In its place, he company will fit the stronger TLSv1 (Transport Layer Security) protocol into IE 7 as part of an overall plan to improve the security and user experience for HTTPS connections.
Microsoft Corp. made the announcement on its official IE Blog where a call to action was issued for Web site owners to make the necessary configuration changes to permit the new protocol connections.
Eric Lawrence, a program manager on the IE team, also warned that the new browser will block navigation to HTTPS sites that present problematic digital certificates.
“Upon encountering a certificate problem, IE7 presents an error page that explains the problem with the digital certificate. The user may choose to ignore the warning and proceed in spite of the certificate error (unless the certificate was revoked),” Lawrence explained.
“If the user clicks through a certificate error page, the address bar will flood fill with red to serve as a persistent notification of the problem,” he added.
The UI change will occur is a certificate is issued to a hostname other than the URLs hostname; if a certificate is issued by an untrusted root; or if the certificate is expired or revoked.
Web site operators that require SSLv2 are urged to reconfigure the settings to permit SSLv3 or TLSv1 connections.
“Ensure that the hostnames used for your secure pages exactly match the hostname in your digital certificate. For example, using the certificate for www.example.com on secure.example.com will result in an error page,” Lawrence said.
“If your site supports TLS, please ensure that it has a standards-compliant implementation of TLS that does not fail when extensions are present. Testing for a non-compliant TLS server is as simple as navigating to any HTTPS page on the server using IE7 on Vista Beta 2. If IE7 fails to connect, TLS extensions are the most likely culprit,” he added.
Microsoft currently allows users IE6 to manually configure the stronger settings vie the Tools > Internet Options > Advanced menu but the changes will be fitted by default into IE 7 to allow Web surfers to negotiate HTTPS connections using SSLv3 or TLSv1.
Lawrence described the change as a “silent improvement in security” that wont affect the normal user experience.
“Our research indicates that there are only a handful of sites left on the Internet that require SSLv2. Adding support for SSLv3 or TLSv1 to a website is generally a simple configuration change,” he added.
In IE 6 today, whenever a surfer encounters a problem with a HTTPS-delivered webpage, a modal dialog box asks the user to make a security decision. In IE 7, that will change to follows the “secure by default” paradigm and default to the secure behavior.
“In addition, users will no longer see the so-called Mixed-Content prompt, which read: This page contains both secure and nonsecure items. Do you want to see the nonsecure items? IE7 renders only the secure content and offers the user the opportunity to unblock the nonsecure content using the Information Bar. This is an important change because very few users (or web developers) fully understand the security risks of rendering HTTP-delivered content within a HTTPS page,” Lawrence added.
He also revealed that the new Windows Vista platform will include several new cryptographic algorithms for HTTPS communications, including the AES (Advanced Encryption Standard). AES is a strong, efficient algorithm that offers support for key lengths of up to 256 bits.
In Windows Vista, certificate revocation checking is also enabled by default.
