IE7 and High Assurance at RSA Europe

One of the best parts of IE7 is actually yet to come. High Assurance SSL certificates, now known as Extended Validation certificates are a critical part of our strategy to help customers avoid online fraud like phishing scams

How a site will appear in IE7 with an Extended Validation certificate

We’ve been hard at work with the other browsers and certification authorities on a set of common guidelines to identify a legitimate business and issue it an extended validation certificate. While we’re finishing up the guidelines for Extended Validation, some key members of the CA/Browser Forum will be at RSA Europe to answer your questions about what Extended Validation certificates will mean to businesses.

Our panel discussion “Raising the Bar: the impact of high assurance SSL standards and browsers” will directly follow the keynote speech on Tuesday morning. I will join key leaders from the CA/Browser forum including Kirk Hall with Chosen Security, TC TrustCenter, formerly of Geotrust and Siddharth Bajaj of Verisign. We’ll explain the need for Extended Validation certificates and cover some of the strategies that browsers are using to fight phishing. If you plan to attend RSA Europe, we hope you’ll come by to ask a question and join the discussion. IE7 will also be on display at the Microsoft booth after the panel so you can come by and test drive the feature yourself in Windows Vista.

See you there!

Rob Franco
Lead Program Manager

Edit: adjusted image attribute, revised Kirk Hall’s title

Comments (54)

  1. mjb says:

    so high assurance means

    "We as PKI minters promise to really really reliably check a company’s information and contact. We will personally deliver the certificate on disk in person after verifying the corporate/organizational location. And we will make sure no homophonic issues are likely, working together with other minters of certs."

    Cuz nothing less will really do. The current issues with PKI (and it’s what’s preventing usage in many cases ) is that

    a) on the one hand it’s cumbersome. Users often have to understand far too much about CAs, trusted lines, certificate revocation, and such . Users have to know to make a safe decision when various certs have bad CNs, or expire or the CA is untrusted. And users gotta get hold of others public keys and have their own private keys travel with them. Assumedly this proposal doesn’t do a thing about this.


    b) The whole hierarchy of trust thing is problematic in that you basically punt the trust up the tree. At some point the user has to trust the minting CA. And the problem is CA’s including major ones starting with V and T  have not been careful or vigilant in their policies.

    It should be HARD (time and procedure wise, not in understanding) to get a trusted CAcert used for browsing and e-mailing. HARD. I know that isn’t a popular position, but otherwise how do your ensure trust?

  2. Mjb, A lot of what you’re suggesting is captured in the EV guidelines.

    There are lots of CAs today who do a good job. The problem is that there isn’t a common set of practices.

    Users shouldn’t be expected to understand PKI or deal with certificate errors and that means that online businesses should keep their certs up to date.

    I understand why you want to build a system that can’t be abused but I don’t agree that the process should be hard for its own sake or hard for legitimate businesses. It should be hard for anyone who wants to abuse the system.


  3. Philip says:

    I’m rather amused … when I checkout the WoodGroveBank demo site, IE7 is smart enough to recognize it as a certificate error 😉

  4. Mark says:

    Weird. It just redirects me to the MS IE7 website.

  5. Philip, I should have added that to my post. You can install the test root for the demo site here:

  6. Soum says:

    Its still certificate error. And how do you get the refresh and stop button into the address bar? And what is the hand icon?

  7. David says:

    With IE6 I could fit everything in one thin tool bar, even the Google toolbar would fit. IE7 takes up 3 and hogs the page.

    The top toolbar is waste of space, an obvious attempt for Microsoft to pawn their SE to the masses.

    I don’t need IE7’s embedded search, the Google toolbar does much more.

  8. Soum, make sure you restart IE after you install the test root and type in

    The hand icon is to help with scrolling, particularly handy if you zoom. I’ll ask the UX team to reply about the buttons.

    David, you can plug any search engine you want into the search box. Try it out!

  9. Jason says:

    How can you download the congoo netpass into this browser?

  10. Dan says:

    From what I read it’s because of the anti-phishing security that the address bar can’t be removed or hidden. Well Firefox will also incorporate that technology but lo and behold their toolbars are still completely customizable.

    Sadly I really don’t think Microsoft gets it, the new internal features are great but it’s not what people see when they look at the browser, it’s the UI. Good programmers would find a way to make the browser secure without taking away useful features from the browser itself. Until MS does that don’t be suprised to hear more people rejecting IE7 until it becomes more user friendly.  

  11. Steve says:

    So, when is IE7/8/9? going to support PNG images for favicons?

    Kinda sad that in this release this didn’t get in there.

    Is this blocked by the PNG Gamma bug?

  12. EricLaw [MSFT] says:

    Some folks have observed that visiting the Woodgrove Bank site from this screenshot shows a certificate error.  This is because the site is using a test certificate generated by a test root.  You can install the test cert here:

    Once the EV standard is finalized, final roots will be issued that permit EV certificate authorities to issue the certificates that light up the IE7 UI in green.

  13. Dan_Close_Your_Mouth! says:


    In IE7 you can disable the antiphishing, so Dan please close your mouth!

  14. favicon_png_already_supported says:


    png in favicon is already supported!

  15. Dan says:

    Dan_Close_Your_Mouth wrote:

    [Q]In IE7 you can disable the antiphishing, so Dan please close your mouth![/Q]

    But you still can’t get rid of the address bar or customize the toolbars can you? A little advice: think before talk.

  16. Dan_Close_Your_Mouth says:


    yes, you can

    Internet options -> Internet settings -> custum level -> allows sites to open website without address bar

  17. Dan_Keep_Closed_Your_Mouth! says:


    yes, you can

    Internet options -> Security -> Custom level -> allows sites to open website without address bar.

    So Dan keep closed your mouth!!!!!

  18. Dan says:

    Can you customize the toolbars? Can I move things around to my pleasure as in IE6? Of course you can’t. Go on shilling for Microsoft all you want, when they or any company does something right they deserve to be complimented for it but IE7 is a disaster in so many ways and telling people to shut up isn’t going to change anyone’s

  19. Dan_Keep_Closed_Your_Mouth! says:


    Right click on command bar -> customzie command bar

    Dan Keep closed your mouth!

  20. Dan says:

    It’s probably clear to anyone reading this by now that you’re a troll. I’d certainly hate to think you’re a Microsoft emplyee but then that might explain the sorry state of this interface lol.

  21. Steve says:


    Well, my tests beg to differ.

    <link rel="shortcut icon" href="; type="image/x-icon"/><!– Legacy MSIE –>

    <link rel="icon" href="; type="image/x-icon"/><!– Modern Browsers: Mozilla, Konq, Safari & Opera –>

    doesn’t work on the tests I’ve done.

    If it does work, what is the syntax?

  22. Brent says:

    @Dan’s Troll

    Yeah, you can customize some stuff, but none of the stuff people care about.

    1) You can’t get rid of the stupid command bar

    2) You can’t get rid of every tool in the command bar (even though it looks like you can)

    3) You can’t move the command bar to put it on a row where there is space. (there isn’t space on the tab bar, because that bar, is for TABS!

    4) You can’t move the FILE menu to the top, without hacking the registry.

    5) If the FILE menu toolbar isn’t displayed, pressing ALT on a page, does a weird rendering adjustment as it tries to slide the menu in. (happens every 5 min or so, when you do an ANT-TAB to switch applications.

    6) Can’t move the favorite icons out of the TAB bar.

    7) Can’t put duplicate "labeled" favorites in the links toolbar.

    8) All the menus for the command bar are backwards.  Who put them on the far right? they don’t work like regular menus. (in many cases, you can’t access the previous item, because this item obscures the previous.

  23. nobody important says:

    Tried internet explorer 7 and it screwed up my computer, deleted it to fix

  24. rc says:


    type="image/x-icon" for a PNG file? What does PNG specification say about this?

  25. John says:

    I’d just like to say..If IE7 had a Firefox like interface, I’d use it:)

    The new menubar is unnecessary as well as other UI oddities.

  26. Fiery Kitsune says:

    Why has MSFT removed the end-user’s ability to choose to run IE in an unsafe manner? I honestly find it offensive that I can’t run IE in a manner that I find convenient.

  27. EricLaw [MSFT] says:

    The green address bar will display for Extended Validation certificates in IE7 on XP and on Vista.  

    Note that if you want the green to show on XP, you must either turn on Certificate Revocation checks (Tools / Internet Options / Advanced) or enable the phishing filter’s "Automatic" mode.

  28. EricLaw [MSFT] says:

    <<Why has MSFT removed the end-user’s ability to choose to run IE in an unsafe manner?>>

    That question pretty much answers itself.  🙂

    Of course, the question is more accurately phrased: <<Why has MSFT removed the end-user’s ability to choose to run IE in an unsafe manner without warning them about it.>>

    That question also pretty much answers itself.

  29. Adam says:


    "Note that if you want the green to show on XP, you must either turn on Certificate Revocation checks (Tools / Internet Options / Advanced)"

    by default is the Certificate Revocation check turn on? and Which one should be turn on? Check for publisher’s certificate revocation or Check for server certificate revocation* currently the Check for publisher’s certificate revocation is turn on.

  30. Mike says:

    The following site doesn’t work in IE7, or any other IE.

    The layout looks fine in Firefox, Safari and Opera.

  31. Jerry says:

    I would rather see a way to see a certificate if there is a certificate error. IE6- displayed the certificate along with a listing of what’s wrong with it. You could than take a look at it and decide whether you want to trust it or not. IE7 simply says there’s a certificate error but the only way to examine the certificate is to accept it first.

  32. mjb says:

    Thanks for the response Rob. I agree with what you say except

    "I understand why you want to build a system that can’t be abused but I don’t agree that the process should be hard for its own sake or hard for legitimate businesses. It should be hard for anyone who wants to abuse the system"

    Obviously on the surface this is true. But the problem is because you place absolute trust in the signing CA, the CA MUST make stringent checks. That’s the part I meant should be HARD.

  33. Hillary says:

    So, this seems so silly, but where do we submit bugs?

    I have 1 or 2 that I would like to advise the dev team about (possibly security related)


  34. Fiery Kitsune says:

    While I do appreciate the intent warnings, I should be able to disregard them and have an option to never have to see again.

    Even if such an option was not readily accessible to a consumer, a power user such as myself would be delighted to see a hidden gpedit-esque way of "making IE7 my *****".

  35. EricLaw [MSFT] says:

    @Jerry: The certificate is not shown for a reason.  

    Oversimplifying matters just a bit, take the following analogy:

    Showing the user a certificate which hasn’t passed validation and asking them if them to examine the data in the invalid certificate is akin to asking a mugger with gun in hand: "Are you a criminal?" and then trusting them not to lie to you.

    @Fiery: There is a group policy control for this.  It maps to the registry value

    SoftwareMicrosoftInternet ExplorerSecurityDisableSecuritySettingsCheck.

    It’s a DWORD value; set to 1 to disable.

    @Adam: You’ll need the Server Certificate Revocation check turned on, or the Phishing filter set to automatic.

    @Hillary: As with all Microsoft products, please send security concerns to

  36. Fiery Kitsune says:

    Eric, you just made my day… Thanks.

  37. ieblog says:


    Please send an email to the IE Blog so that we may further investigate. Thanks!

  38. Fiery Kitsune says:

    Why is nothing showing up in the Group Policy Editor?

  39. EricLaw [MSFT] says:

    @Fiery: To see the IE group policy settings:


    Navigate to User Configuration Administrative Templates Internet Explorer.  

  40. Fiery Kitsune says:

    Eric, I’m in gpedit, I’m just not seeing what you are seeing.

  41. petknep [MSFT] says:


    The stop and refresh are in the address because that’s the UX on Vista.

    IE7 XP has different UX.

    I have no clue what that hand icon is.

  42. Jerry says:

    Eric, there are cases when users can choose to accept a certificate that didn’t pass validation. I can think of two cases – going to a site that didn’t renew their certificate and going to a site using an IP address instead of a name. In either case the certificate will fail validation BUT I do not want to blindly trust any certificate that’s served, I do want to have the option to examine it to make sure the problem is what I expect it to be. In IE 6 I could’ve check to make sure it’s only the expiration date, or only the common name checks that failed. In IE 7 I no longer have that option. Also, quite a few companies that develop software on the side use production certificates to secure their testing sites, which of course fail validation because of common name mismatch but IE 7 users are now vulnerable to attacks because they can no longer see that the certificate is their real one. If someone does hijack the internal site there is no way to find out until it’s too late.

  43. EricLaw [MSFT] says:

    @Jerry: Therein lies the problem.  The vast majority of users don’t understand certificates or certificate errors.  

    For instance, you say that you want to make sure that the certificate is "just expired".  Most people think "Oh, an expired certificate is okay".  But it’s really not; certificates have an expiration date for a reason.  A cert holder is under no obligation to protect the private key once the cert is expired, and a CA is under no obligation to maintain revocation information after a cert it issued has expired.  Hence, even an expired certificate is far more dangerous than most folks realize.

    For internal development servers, you should simply deploy a test certificate to your organization’s clients.  This is the secure way to handle this problem.  The only secure alternative is to write down the lengthy certificate hash and manually compare it, character by character, on each visit.  This, obviously, is more trouble than anyone would regularly go to.

    And remember, as always, you may choose to ignore certificate errors and continue.  If you’d like to view the certificate, simply click the View Certificate link.

  44. PSchuetz says:

    Hi there,

    that’s a great initiative, but I hope IE7 will support TLS 1.2 and you can only use that Extended Validation (process) with/on TLS 1.2..!

    I think it is really important and necessary that High Assurance certificates become TLS 1.2 and only TLS 1.2, because of the security reasons, issues and need.

    Details here:

    Without that, your new strategy/guidelines is/are not that good

    and seems almost useless! -.-

    best regards,


  45. CryptoGenie says:

    More about what pschuetz is talking about is here:  Basically, some researchers have found some ways to make the SHA-1 algorithm easier to crack.

    it’s pretty safe to conclude that HTTPS traffic is still very secure, since it would cost many millions of dollars to very slowly break keys if it’s even possible.  Now, ten years or so from now (when computers are ~32 times as powerful or 1/32 as expensive) it’ll start to be interesting to talk about this attack in terms of cost/value.

  46. Is this a way for CA’s to have their certificate in the "trusted" store without having to go through a Webtrust audit? That method of examining an organizations CP / CPA / PDS was very expensive if I remember correctly. Does MS even use the results of a Webtrust type audit to determine acceptance of a root cert? It’s been some time since I have in the PKI arena.


  47. EricLaw [MSFT] says:

    @Chris Harrington: See for the requirements to join the Microsoft Root program.

  48. Jerry says:

    I agree that most users do not understand the issues. But IE6- was not showing the cert by default, it was only giving an option to those that do know what to look for. IE7 no longer gives that option. So if someone hijacks my internal site, I have no way of seeing whether the certificate failed because of a different CN (but is still my certificate) or because someone broke in and installed theirs.

  49. Doug says:


    You can see it.

    1. Click "Continue to this website (not recommended)"

    2. Click "Certificate Error"

  50. Magnus A says:

    I don´t like the place of the refresh and stop button now. I would like to see an option where you can place these two buttons on each tab. I also would like to see a close button on the first tab. If you close the first tab the only thing left should be the "new tab"-button. If there aren´t any tabs open and you write an address then a tab should open when you press enter.


  51. Stephen says:

    Impartial information on the proposed Guidelines for Extended Validation SSL may be found at

  52. Chris says:

    What skin is that demonstrated on this post?  I want my IE7 window to look like that!

  53. IEBlog says:

    I’m Markellos Diorinos, and I am a product manager with the Internet Explorer team. Yesterday I read