信息来源:http://www.computerworld.com/securitytopics/security/story/0,10801,110236,00.html?source=x73
APRIL 05, 2006 (WINDOWSNETWORKING.COM) - There抯 something about using the words security and Internet Explorer in the same sentence that tends to make administrators want to laugh. Perhaps it抯 the fact that prior to Windows XP Service Pack 2, security in IE6 was pretty much nonexistent. Windows XP Service Pack 2 took care of some of IE抯 security issues, but security was still mediocre at best.
But in IE7, Microsoft seems to have addressed many of the security issues that have plagued IE for the past decade. Of course only time will tell if IE7 is really secure, but in this article I want to introduce you to some of the new IE security features.
Goodbye to SSL 2.0
In IE6, when a user visits a site that requires HTTPS encryption, it uses SSL 2.0 to encrypt the session by default, but the user has the option of manually switching to TLS (Transport layer security) instead, which is more secure. In IE7, Microsoft will no longer support SSL 2.0. This means that some Web sites will have to be recoded, but many industry analysts speculate that there aren抰 many Web sites that absolutely require SSL 2.0 and do not support TLS.
Secure by default?
Another related change involves the way that IE responds when it encounters a Web page that is encrypted by HTTPS, but that also contains HTTP content. When IE6 encounters such a page, it asks the user if he would like to display both secure and insecure items on the page. Since most users don抰 fully understand the potential consequences of displaying insecure data within a secure Web page, IE7 will do away with this option and will only display secure content within pages being accessed via HTTPS.
Security zone changes
For years, IE has supported the use of security zones. The idea behind security zones is that some Web sites are more trustworthy than others. For example, if you have a corporate intranet set up, you probably fully trust your own server not to be feeding your workstations malicious content. However, you probably don抰 trust most random Web sites.
So Microsoft created security zones. These zones have been a part of IE for many years. They include Internet, local intranet, trusted sites and restricted sites. The basic idea is that a Web site can be classified as belonging to one of these four zones, and IE will limit its permissions accordingly.
For example, if a site is placed into the restricted sites zone, the user can visit the site, but IE won抰 attempt to install Active X controls from the site and will not run any scripts on the site. On the other hand, if a site is listed as being a part of the local Intranet, there are fewer restrictions placed on it. There are a few restrictions regarding the use of Active X controls (particularly unsigned Active X controls), but aside from that, the site is free to execute without hindrance from the browser.
There is one major change to the way that zones work in IE7. One of the summer interns at Microsoft came up with the idea that most home users don抰 have an intranet in place and that the Intranet zone should be removed. The reasoning behind this is that the local Intranet zone is an area in which approved Web sites can run with fewer permissions. Since most home users don抰 have a local Intranet, the local Intranet zone isn抰 serving a purpose other than to act as a place where malicious Web sites could potentially execute with fewer restrictions
Microsoft liked the idea and designed IE7 so that it checks to see if the user抯 computer is connected to a domain. If the computer is a part of a domain, then the local Intranet zone works the same way that it always has. If it isn抰 a part of a domain, then IE assumes that the machine belongs to a home user and disables the local Intranet zone.
Phishing filter
One of the best new security features in IE7 is the phishing filter. Phishing has become a huge problem over the last couple of years. There are a wide variety of phishing scams out there, but one of the most common involves fraudulente e-mail messages. Typically, the person who is performing the phishing scam will send an e-mail that appears to be from your bank, for example, and asks you to log into your account for some reason (usually to verify that your balance is correct). The e-mail will then contain a link to your bank抯 Web site.
On the surface, the Web link looks perfectly legitimate, but the e-mail message is designed so that the site that the link connects to is not the same site as the link displays. For example, the link might look like http://www.mybank.com, but the actual underlying code would take you to http://207.68.172.246 instead. The IP address that the link takes you to would then be a Web server that is set up to look and feel exactly like your bank抯 Web server. This Web server抯 job is to present you with a log-in prompt. When you log in, the site logs (steals) your account number and password, and then redirects you to your bank抯 real Web site. Most of the time, user抯 simply think that they have typed in their password incorrectly, and never realize that they have just handed over their account number and password to a thief until their account gets cleaned out
The phishing filter is designed to protect against this sort of activity. Assuming that you have chosen to enable the phishing filter, it will analyze any URLs that you visit to make sure that they are legitimate Web sites and not phishing sites.
For example, suppose that you clicked on a link in an e-mail that took you to http://207.68.172.246/result.aspx?id=4. The first thing that the phishing filter would do is to strip off the question mark and anything following it. In ASP, the question mark is used as a mechanism for passing variables from one Web page to another. Since these variables could potentially contain personal information and do nothing to prove or disprove the site抯 legitimacy, they are stripped away. In this case, that would leave the URL string http://207.68.172.246/result.aspx
The phishing filter will then compare this URL against a list of sites that are known to be legitimate. In this case, the URL looks suspiciously like a phishing site, but in actuality it is simply using an IP address rather than a domain name to go to MSN. Since MSN is a legitimate site, this URL would be OK.
If this URL were not listed as a legitimate site, the phishing filter would use a list of known phishing sites and if necessary, some heuristic techniques to determine whether the site was legitimate. Once the filter has made a determination as to the site抯 authenticity, the user will see a message warning that this is a known phishing site, a warning that this might be a phishing site, or if the site is legitimate, the user won抰 see anything out of the ordinary.
Conclusion
Only time will tell if IE7 is really secure. At the moment, IE7 and Windows Vista are still in beta testing, so they have not been exposed to the scrutiny that IE6 has been. I have seen a few unconfirmed reports of people being able to exploit weaknesses in IE7, but even if those reports are true, IE7 is still in beta testing and there are bound to be some bugs.
Brien M. Posey has written more than 3,000 articles and written or contributed to 27 books. His personal Web site is www.brienposey.com.
