Safety First at Mix06


I’m really excited for my talk tomorrow here at Mix06. This conference feels more like a party than work. We’re free from the blue-shirt uniform of normal conferences and I’ve tried to make my talk all content – no slides (ok, there are a few slides for folks who don’t see the live show). I’m trying to dodge the late night party crowd until after my talk but I hear that Phoebe has been hanging out with Chico and James of the Debarge family.

During his keynote, Bill Gates teed us up to talk about Protected Mode, ActiveX Opt-in, Anti-Phishing and High Assurance SSL. I had the chance to show Bill the first version of Protected Mode last year and even though it wasn’t very polished yet, he saw the potential to make the system safer. Today the version of Protected Mode we have helps protect the system but also is compatible with most sites and extensions.

In my talk, we’re going to look at why we’re making IE safer and how to make your site work with the protections. I intend to cover questions I’ve heard on the blog before and you can post a question here today if you want me to cover it at the talk. After you get your dose of safety first, I expect you’ll want to catch Chris’ talk about standards, Markus’ on the CSS changes in IE7 and Rich Turner will show you how to use Infocard.

Hope to see you at my talk or here at the show!

 – Rob Franco

Comments (38)

  1. sazzad says:

    the IE related links doesn’t work.. :(

  2. Tyler says:

    At what point, if ever, will a full detailed list of supported CSS functions be available.

    Thanks.

  3. DMassy says:

    Tyler,

    You can expect to see full documentation on supported CSS in the MSDN CSS reference at http://msdn.microsoft.com/library/default.asp?url=/workshop/author/css/reference/css_ref_entry.asp?frame=true in the coming weeks. There is a lot of documentation work in the queue and some of it takes a little time.

    In the meantime there is the post at http://blogs.msdn.com/ie/archive/2006/02/02/523679.aspx is accurate with the addition of min-height min-width support in the refresh preview build made available today.

    Thanks

    -Dave

  4. Anonymous says:

    Will you submit Infocard to a standards body for it to be standardized? Will you provide source code implementations of the Infocard system so that it can becorrectly implemented on other platforms as well?

    If you don’t do any of the above two actions then how do you expect the community to turst you and how to do expect Infocard to become universally accepted?

    In other words, how do you plan to get community support and implementations of Infocard on other platforms?

  5. Liberté - Egalité - Fraternité says:

    You have talked about full CSS2 support in previous posts. Will the final IE7 have support for the following CSS properties and selectors?

    E:first

    E:left

    E:right

    counter-increment

    counter-reset

    font-size-adjust

    font-stretch

    text-shadow

    speak-header

    marks

    orphans

    page

    page-break-inside

    size

    widows

    azimuth

    cue

    cue-after

    cue-before

    elevation

    pause

    pause-after

    pause-before

    pitch

    pitch-range

    play-during

    speak

    speak-numeral

    speak-punctuation

    speech-rate

    stress

    richness

    voice-family

    volume

  6. Michael Ward says:

    I don’t think the IE team has ever committed themselves to supporting the full CSS2 spec in IE7.

    I think the above mentioned list is is for this version of IE – I just hope the implementation is correct!

  7. Squire says:

    To Anonymous re: InfoCard

    Source code is not required for others to implement a properly documented standard, which InfoCard is:

    http://msdn.microsoft.com/winfx/reference/infocard/default.aspx?pull=/library/en-us/dnwebsrv/html/infocardwebguide.asp”>http://msdn.microsoft.com/winfx/reference/infocard/default.aspx?pull=/library/en-us/dnwebsrv/html/infocardwebguide.asp

    More information at:

    http://msdn.microsoft.com/winfx/reference/infocard/default.aspx

    For more information I’d suggest an MSN search for "infocard standards". It turned up

    http://blog.mix06.com/blog/archive/2006/01/27/80.aspx

    "For those unfamiliar with InfoCard, this is a new authentication technology based on the WS-* industry standards."

    http://en.wikipedia.org/wiki/InfoCard

    "InfoCard is built on top of Web Services Protocol Stack, an arguably open set of technologies, including WS-Trust."

  8. Brian R. James says:

    Dave,

    What is this refresh preview build you speak of?

  9. DMassy says:

    Brian,

    Take a look at the previous blog post here announcing the new preview build. http://blogs.msdn.com/ie/archive/2006/03/20/555703.aspx

    Thanks

    -Dave

  10. Ha! I love it, the new build (thanks btw for that refresher) has correctly working focus whereas Firefox does not (in regards to the flags on the frontpage of my site when holding the tab key). It’s also working correctly in a few ways that Safari is not but you wouldn’t know if unless you visited my site IoI. IE7 is coming along slowly but surely and refreshers are always welcome! :-)

    The security is great but I’d like to add one thing to it: Bank of America. While their login process has become even more obnoxious then ever their frontpage isn’t encrypted with SSL! The only way to securely login is to enter bogus information and then use the "try again" pages. It would be nice (more so for others who would not notice something is wrong when it is absolutely apparent to folks like us) to protect their information on pages with forms that may look like login pages to the browser. The tricky part is that how do you tell what a form is for? I would imagine password types might trigger this somehow, perhaps in combination with something else?  Nonetheless I think protecting people from this and doing it effectively (without false positives) would give bragging rights in this regards. :-)

    At what period of development will we be able to customize the GUI better?

    Overflow is not working when using bottom, left, right, top in combination of position in contrast to how most people use position in combination with height and width. Besides this (with IE conditional comments removed) I don’t see any moderate rendering bugs) – WOOHOO!

    div.overflow { border: #000 solid 1px; bottom: 5px; left: 5px; overflow: auto; position: absolute; right: 5px; top: 5px;}

    Select menus have an odd border around them.  It would be very nice if IE would allow us to style the arrow on those menus (via conditional comments stylesheet of course) if standards bodies will not.  While I’m dislike proprietary in the sense of forcing customers to use only your company’s parts that cost much more then non-proprietary parts (*cough* Dell) when it’s about pleasing the consumer and there is a way to get around directly breaking the rules I’ll vote in favor of it.

    This script does not work when changing stylesheets on my site…

    http://www.jabcreations.com/scripts/style.js

    I suppose document.createElementNS is not supported as this is the alternative to document.write when you use application/xhtml+xml. Can anyone please point out what ECMA has to say on this? What could I do to get it working in all browsers so it also works in IE?

    Great work! Keep it up! :-)

  11. Dao says:

    @John A. Bilicki III:

    Use document.createElement instead of document.createElementNS.

    Besides, //<![CDATA[ in a .js file is useless.

  12. Alun Jones says:

    Re: Bank Of America.

    This is the perennial problem with HTTPS.  You have no way of knowing ahead of time, short of reading the HTML source code, whether the form you are submitting is going to go via HTTPS or plain HTTP.

    John A Bilicki is wrong to suggest that the presence or lack of an SSL indication on displaying the form is linked in any way to whether or not your data goes back to the site in a secured fashion.  The browser only tells you that the data you are seeing on screen was delivered to you via HTTPS.

    If IE 7 has any means of telling you how your submission is going to be secured (or open), ahead of actually sending it, I haven’t seen it.

    Oh, and the Bank Of America site takes your sign-in information and submits it to https://sitekey.bankofamerica.com/sas/resetPasscodeScreen.do – that "https://&quot; is a clue that this is going to be secured.  Sadly, you have to read screeds of source code to determine this.

  13. Thanks Dao,

    I get "access is denied" for a page that changes the stylesheet…

    <body onload="if (location!= top.location) {parent.border.location.reload(); parent.copyright.location.reload(); parent.mplayer.location.reload(); parent.content.location=document.referrer;} else {location.href = document.referrer;}">

  14. @ Alun Jones

    I’ve seen sites that have their initial page marked as being secure (security is not my best subject). I know SSL uses keys (I may be wrong about this but)…if a key is received in order to encrypt a page then the (any) browser should be able to mark the page as secure? My understanding is that while the form may submit to an encrypted page, the information being sent is not yet encrypted.

  15. Alun Jones says:

    HTTPS doesn’t work like that.  You don’t get a key down when fetching a page in order to use that key when submitting content.

    What happens is this…  The moment you get an HTTPS link, as opposed to an HTTP link, a new connection is made, on a new port (443, the standard port for the encrypted universal firewall tunneling protocol, aka HTTPS), and SSL key exchange begins.

    After that, normal HTTP-type traffic is simply encrypted and sent (then received and decrypted) over the encrypted connection.

    So, to use Bank of America as an example, you connect over port 80, unencrypted, to send the "GET" command that allows you to receive the page (again, unencrypted).  You enter data, and you hit the "Sign In" button.

    The "Sign In" button activates code that says ‘post that information to an https://… address’ – so, your browser opens a connection to port 443 on that site, and this is the first time that keys get exchanged and encryption gets fired up.

    Now that you have an encrypted session to port 443, the information you entered in the form is encrypted and sent, usually in a POST command, and the response – also encrypted – gives you either a page to display, or a redirection to somewhere else.

    The converse is true – if you connect to a secured page over HTTPS, it may ask you to enter your details an press the submit button – if the submit button posts to an "http://…" link, your data will be sent in clear text, even though the page was displayed to you with the padlock!

    This is the browsers’ "dirty little secret" – the padlock is little or no assurance.  Some pages have exhibited exactly this problem – page displays with padlock, but usernames and passwords sent in clear-text – because of poor design or poor implementation, and users are none the wiser.

  16. PatriotB says:

    Alun Jones — the IE team has blogged about this before.  If the main login page is plain HTTP, there’s a chance that the submit page could’ve been changed by a hacker from the "good" HTTPS destination to a "rogue" destination.

    See "Critical Mistake #1" at http://blogs.msdn.com/ie/archive/2005/04/20/410240.aspx.

  17. aapje says:

    Sometimes the back button is just ‘gone’, i.e. it’s not active while it should be active. That’s an annoying bug.

  18. Alun Jones says:

    I hope I didn’t give the impression that a form delivered by HTTP is safer than (or as safe as) one delivered by HTTPS.  That’s a judgement call you’d have to make based on how safe you thought the path was between you and the party you’re talking to.

    If you are certain it can be sniffed, but not modified or redirected, then HTTP and HTTPS are okay for form delivery, but not submission.  If the stream can be modified or redirected (by a DNS poisoning, for instance), then you need HTTPS and the out-of-band assurance of the CA.

    My concern is more that people understand that the delivery of a form is uncoupled from the submission of that form’s information – if you see the padlock, you have no way of knowing if the password you type is sniffable over the wire when you press "Submit", unless you can read the source to the page.

  19. zzz says:

    It might be possible to draw a lock symbol next to the input form text box when the form has post url in form of https://blah.blah.same-domain-as-the-form-page-was-from.com. The IE code would simply check for https and domain and then indicate this ahead of time with the lock symbol.

  20. ieblog says:

    zzz,

    And then someone would spoof the lock symbol if you drew it on the page to make you think it was secure…

    Nothing that is shown to you on a page itself is guaranteed to be what it says it is.

    – Al Billings [MSFT]

  21. Maurits says:

    > And then someone would spoof the lock symbol

    Not if you put it in the status bar when hovering over an <input type="submit"> they wouldn’t.  Although I suppose then they could just use an onsubmit event to change the target of the form.

  22. Mike says:

    Is anyone having trouble with Flash in the recent build of IE7?  I cant seem to view any Flash what-so-ever.  Even after clicking it as the tool tip says.

    Any thoughts?

  23. Fiery Kitsune says:

    BTW, can you guys add site titles to the address bar pulldown???

  24. @ Mike

    I’ve noticed that http://homestarrunner.com ‘s nav menu isn’t working.

    wmode also has not been fixed yet.

    Al’s right, it’s a trust issue on the net like most situations where money is exchanged in everyday life.

  25. PoTaToX says:

    Hmm, the bug "cannot expand other than today’s history bug" is still in the newest build of ie7. :( realy anoying.

  26. I have installed the new build of IE7 but have had to uninstall it and go back to the previous build because whenever I tried to open a second tab I got an error message and the browser shut down sayin’ sorry for the inconvenience. I have XP home w/ latest updates. Does anyone know a solution to this annoying story?

  27. Vishal says:

    Are you guys not embarassed to be working on something whose shipdate is slipping so badly? And why is your leadership not taking responsibility? "People buy stuff after Christmas"? Are you serious? LOL!

    Maybe you should have less PMs and more devs?

    PMs always seem to be full of hot air, excellent at blogging and doing ego-inflating "UX" work, but awful at getting stuff which takes genuine hard work done. (Cue the angry huffing and puffing of the zillion IE PMs who have to kid themselves that they actually add significant value – how many PMs does Firefox have??) And while you’re at it, maybe you should have less "inaugural MIX conferences" and spend more time coding?

    Security is a convenient excuse but we all know that its not the only one. With all the cut features, and Apple’s new OS coming out at the same time as Vista, it must suck to be you. So, who’s going to step up and take responsibility for this mess? Or are you all too snug in your bureaucratic, monolithic org?

  28. Antonio Marques says:

    @ Vishal:

    Isn’t it better to have a secure product latter than an insecure product sooner?

    Apple? The 2% market share OS? Give me a break… BTW, in case you haven’t noticed, this is a blog about IE7. Yes, for Windows. Duh.

  29. PatriotB says:

    Vishal — I’m very thankful that MS has program managers.  At one of my previous jobs, we had zero PMs or anything of the type.  Developers did everything, from deciding on what new features would be, to deciding how the feature should look and work.  And it sucked.  I can only imagine how much better things would have been (both internally, and in terms of product quality) if there had been PMs.

  30. Vishal says:

    PatriotB, who said anything about no PMs? IMO IE needs 1) less PMs, 2) more competent PMs, 3) PMs who spend more time with the codebase and less time at glitzy conferences partying and doing pointless "visibility" Powerpoints with Bill.

    Look up the Channel9 RSS team video – see how many PMs there are just for that! You have lead PMs, group PMs, ordinary PMs… It seems like there are more PMs than developers!

    Just compare the bloggers here to those from Mozilla or Opera, who release with high-quality regularly. (Cue yet more excuses about how much more complicated IE is and how their testing and compat matrix is so much larger!)

    Antonio, stop patronizing me unless you know even approximately what you’re talking about. "Security reasons" is just marketing crap – obvious to anyone with even the vaguest competence. A magic boost of security can’t be added on at the end, security has to be a continual process. Maybe you should read some basic books on security engineering to explain why? Would you like me to recommend some to you?

    BTW, in case you haven’t noticed, this is a blog about IE7 – yes, a major component of Vista – yes, the system which was delayed, yet again, after so many feature cuts, today. Duh.

    Vista is a train wreck. I want to know what they’re going to do about it.

  31. Al Billings [MSFT] says:

    Vishal,

    As has been said before, there are less PMs than developers. In fact, there are a LOT less PMs than developers. You’re just more likely to seee PMs talking about feature areas or doing presentations because…well…that is part of the PM job. Realistically, the biggest discipline is Test. There are more testers than PMs or Developers though the IE team also works on all of our security patches and much of the test work goes there as well.

    – Al Billings [MSFT]

  32. ieblog says:

    Vishal,

    As to the "train wreck" comments, this really isn’t the place to discuss Vista per se. None of us on IE are going to have much in the way of comments on that. We *are* focused on IE, both on Vista and on XPSP2 but the general windows process is something for someone else’s blog.

    I would ask you to chill on your tone a bit, it is verging on the abusive, which isn’t acceptable on the blog here. If you want to have a polite conversation, that is a different matter.

    – Al Billings [MSFT]

  33. hmas says:

    Safety may be "first"… but there are other things you need to do.

    I think IE7 broke some of the OS stuff: please try using the Copy To/Move To toolbar buttons in Windows Explorer and copy/move something to Desktop. Desktop isn’t anymore the top level in the namespace of the dialog box (in fact, on my system Desktop isn’t shown at all in the Copy To/Move To dialog box!).

    Another thing that needs to be fixed is the way IE7 handles tabs. Please, open 2-3 tabs and then try to close each one of them. The last one won’t have a close option. This is quite nagging!

    For proper handling of IE7’s tabs, you might take a look at the way Maxthon browser (www.maxthon.com) is doing it! Furthermore, you might learn a lot from Maxthon about the way a good browser should be in terms of options, user control, handling, ease of use, skinning, RSS feeds…

    …or you could just simply hire Maxthon’s authors for that matter…

  34. Adam says:

    I think what Vishal is trying to say is we the consumer are losing serious faith in Microsoft’s competence.

    We listened at Mix06 about how Bill has said the delays of IE7 are unacceptable.  Yet we have no sure date on the public release of it.  And all we are hearing are "security issues" and more delays.

    Now you push back the release of Vista which was supposed to compliment the IE7 public release and we still have no news what is going on there.

    You guys can talk and talk about this and that.  But the proof is in the end result.  And you are not giving us much to go on.

    Microsoft just expects us to accept this because they own the industry.  

    Microsoft needs to understand where we are coming from.  And that given the chance we the consumer will switch companies for those that can get a job done.

    As painfull as this sounds, I don’t mean any of it to be confrontational but it is what we are feeling.

  35. EricLaw [MSFT] says:

    <<Although I suppose then they could just use an onsubmit event to change the target of the form.>>

    Bingo.  Or if they really wanted, an evil page could simply leak your keystrokes to another server as you typed in the form, even before you clicked submit.

    The fact that InfoCard blocks this type of attack is one of many reasons that InfoCard is a very cool technology.