IE7 at RSA San Francisco


Back in November, we announced our intention to bring Extended Validation SSL Certificates to IE7. This week at RSA we’ve announced that IE7’s EV SSL support is now live! Many Certification Authorities (CAs), including VeriSign, CyberTrust, Entrust and GoDaddy, are already issuing EV SSL Certificates. We are already seeing businesses such as eBay, PayPal, Charles Schwab, Overstock.com , French Soaps and Stardock) beginning to use EV to offer verified identity information to their users. I recently read a Gartner Inc. survey that discovered nearly $2 billion were lost in e-commerce sales in 2006 due to security concerns – we certainly hope that IE7 and EV will help to reduce that number.

As EV enters the mainstream, users will need to find out more about these new certificates and how to use them when navigating the internet. We have posted new information on Extended Validation SSL (and FAQ), a tutorial on how to use the information presented in the Security Status Bar, and updated our online safety and identity theft guidance to take EV into account. Website owners who want to offer EV will be interested in our IE7 EV Implementation Guide.

Two years ago, Bill Gates announced IE7 at RSA highlighting the Phishing Filter as one of its major features. Today, at RSA, we reported updated results on the Phishing Filter. Since IE7 launched in October, the Phishing Filter has blocked more than 10 million attempts to visit known phishing websites – and is currently experiencing a rate of over 1 million blocks a week. IE7 users and our data providers are adding nearly 10,000 Phishing sites every week to help protect our community of users.

In addition to the 3 Sharp LLC analysis we commissioned a while back, Carnegie-Mellon University’s Dr. Lorrie Cranor and her colleagues updated their independent, comparative study on anti-phishing toolbar accuracy last month, confirming that the Phishing Filter in IE7 is one of the most accurate anti-phishing technologies they tested. It was the only one that consistently caught more than 60% of phishing sites while having the lowest possible rates of incorrect ratings (otherwise known as  false positives) .

We are continuing to improve the phishing filter. At RSA we announced 4 new Phishing Filter data providers: the Australian Computer Emergency Response Team (AusCERT),  BrandProtect, MySpace.com,  and Netcraft’s data from their anti-phishing toolbar (both IE and Firefox) . Together with our current partners (Cyveillance, Digital Resolve, Internet Identity, Mark Monitor, RSA) and our IE7 users, who continue to report great leads to us, we hope this will continue to improve the effectiveness of our Phishing Filter.

If you are at RSA, make sure and check out the IE Pod (#16) in the Microsoft booth (#1208).

Jeremy Dallman
IE Program Manager

Comments (26)

  1. cooperpx says:

    @ Jeremy Dallman

    Have you ever noticed how IE7 no longer provides you any information about an untrusted certificate (ie: self-signed) before accepting it ?

    File -> Properties -> Certificates = Error message saying no certificate is present.

  2. cooperpx says:

    @ Jeremy Dallman

    (Sorry for the double post) It would also seem that if you install the ‘bad’ certificate the bar stays red until you restart IE7?

  3. SurrealLogic says:

    Sorry to be off topic, but does anyone else have an issue with horrible flickering problems in IE7 on Vista Ultimate? Firefox is fine, I think I have the latest drivers, but anything Flash or animated javascript flickers like crazy. Any thoughts?

  4. As I have noted a couple of times over the past couple of days, IE7 Extended Validation has gone live:

  5. TMaster says:

    Strange, my address bar doesn’t turn green when visiting those sites, not even when I turn on the automatic phishing filter.

    In fact, when I visit the Woodgrove Bank demonstration site, it turns red, because I haven’t accepted the certificate authority.

    Is this normal behavior – I seem to recall Extended Validation not being enabled yet, but I thought it would be fully functioning in february 2007?

    What error am I making? The certificate does say "Extended Validation" in it.

  6. EricLaw [MSFT] says:

    TMaster: I assume you’re using Windows XP?

    Try visiting https://www.verisign.com first.  

  7. Sylva Lisko says:

    Since we have downloaded the new EI7 last year

    there is just trouble – error msgs, pages not responding, everything is slow.

    on our other laptop we kept the EI6 and all is perfect.

    can we go back from EI 7 to EI 6 on our PC?

    thank you

  8. Tim says:

    Taking research from Gartner at face value is NOT wise advice.

  9. This is such a cool story. Two years ago, Bill Gates announced IE7 at RSA highlighting the Phishing Filter

  10. Tmaster,

    You need to turn on your phishing filter, and set it to automatic, *and* ensure server certificate revocation checking is not turned off, to see the green bar.

    The red certificate at Woodgrove is to be expected; the *testing* certificate was not issued by a trusted authority, that is, it was issued by "Microsoft Enhanced Validation Testing PCA".  To see the list of trusted authorities, go to tools, internet options, content tab, certificates button, trusted root certification authorities.

    Sandi

  11. AK says:

    I faced 2 Problems with IE 7

    1. First time when I enter any domain name and press Ctrl+Enter IE7 hangs for almost 30 sec.

    2. If I sign into multiple sites using tabs and logout from any of the sites, I get logged out from all other sites. may be a cookie problem..i guess!??

  12. Today, Bill Gates and Craig Mundie keynoted the RSA Conference 2007 and announced a variety of security related Microsoft initiatives. Perhaps the biggest news was announced in detail on the blog of Microsoft’s Kim Cameron where Microsoft p…

  13. EricLaw [MSFT] says:

    @Sandi: Actually, ~either~ setting the Phishing Filter to Automatic ~OR~ enabling Server Certificate Revocation Checking is sufficient.

    @AK: Do you see the delay if you type the "http://" before the domain name?  

    What sites are you logging out of?  Logging out of some sites (like Outlook Web Access) will clear your session cookies.

  14. Jerry Pisk says:

    What I don’t get is why the need for EV certs? If the existing certificates are being issued to anyone who asks for them without any verification wouldn’t the fix to that problem be to start validating cert requests? EV certs are basically an acknowledgment of the fact that regular certs are not trustworthy. As such, those shouldn’t be trusted at all.

  15. Michael says:

    are u sure a GREEN address shows up when navigates to websites like Verisign in WinXP?

  16. Tony says:

    @ Sylva, visit the IE7 support site for free technical support, http://www.microsoft.com/windows/products/winfamily/ie/iefaq.mspx

    @ Jerry, I agree completely. Verification sites must do their job, otherwise we will continue to have escalations of new certificates with new names that eventually become obsolete themselves. The system is flawed, please don’t propagate it any further until it’s been fixed.

    Also announced today By Bill Gates and Craig Mundie is the continued development of IPv6 and IP/Sec. Mr.gates was even quoted:

    “Passwords are not only weak, the more you get of them, the worse it is,” Mr. Gates said. “We see smart cards, in specific, but certificates in general as the way to go.”

    Are the EV and future certificates what Bill was referring too? If so Jerry’s comment has merit and needs to be resolved before standards such as OpenID and CardSpace become compromised as well.

  17. @IE team

    It would be nice if you could add a new SecureLockIconConstant identifying EV SSL connections to the DWebBrowserEvents2::SetSecureLockIcon event so that security add-ons for IE can take advantage of the new EV certificates as well.

    Regarding UI flickering: The status bar and the small edge between the tab bar and the actual Web content frame still flickers if switching tabs.

    Any plans on allowing us to report bugs we find in IE again? The connect bug database was a good approach, but was unfortunately turned off after RTM.

    Besides, congratulations on launching Vista and EV SSL.

  18. islander says:

    Since I installed IE7 I have had MAJOR hiccups of one kind or another……. now it won’t even load up pages of ANY sort………..

    I am on Windows XP (home) and do NOT intend to go over to VISTA because it is a wannabe MAC platform and I should have gone Mac instead of staying with windows because it just keeps crashing and crashing and hanging and hanging!

    I don’t know way there is a new UNimproved version of IE for non techies……….

  19. say2joe says:

    How can the Go button (used with the Address Bar on the Taskbar) be removed now that the option to remove it is no longer included with IE7 Advanced Options? I’ve already done a few searches of the registry with no success.

    I’m using XP Pro with IE7 (/w latest updates).

  20. Aedrin says:

    "Since I installed IE7 I have had MAJOR hiccups of one kind or another……. now it won’t even load up pages of ANY sort………..

    I am on Windows XP (home) and do NOT intend to go over to VISTA because it is a wannabe MAC platform and I should have gone Mac instead of staying with windows because it just keeps crashing and crashing and hanging and hanging!"

    The obligatory car reference:

    If people who owned cars kept buying all these third party components and never got it serviced, how long do you think it would last?

    Do you really think a Mac will improve your experience?

    Are you a victim of marketing lies?

  21. EricLaw [MSFT] says:

    @say2joe: Remove the "Go" button from the Addressbar in your task bar by opening Windows Explorer (not IE) and right-clicking on the "Go" button there, then unchecking "Go button".

    @Viktor Krammer: Yes, SecureLockIconConstant would be a good start, but at the moment, we don’t expose a good way for extensions to grab the certificate itself, so the constant alone likely would not be enough.

    @Jerry Pisk: The issue is that there’s no standard for what type of validation is performed for a non-EV certificate.  Each CA sets their own policies, and some are stronger than others.  In contrast, the EV guidelines that IE7 supports specify the exact bar for vetting the identity information for all CAs.

    Implying that non-EV SSL isn’t trustworthy isn’t exactly correct; it’s fair to say that it ensures the privacy and integrity of the connection, but provides only limited verification of the identity of the remote server.  At a minimum, it ensures that the registered owner of the domain name (which itself be misleading) is able to respond to certificate registration confirmation mails.  

    Hence, EV was created to offer a higher and standardized level of assurance of the identity of the remote server.

  22. Alex says:

    I found a very tiny bug in the Address Bar when using EV SSL Certificates, see the image at this url (nevermind the JPEG-corruption):

    http://swb.alex-media.nl/photos/C11184B4-C845-E8B2-EB1F-CD4394DB6A82.jpg

    What you’re looking at: the company name should be ‘Charles Schwab & Co., Inc. [US]’. You see: ‘Charles Schwab _Co., Inc. [US]’

    The problem is caused by the company name having an ampersand in it. It is displayed as a _ because that’s Windows mnemonic-key. When you click on the icon, the correct company name is displayed.

  23. TMaster says:

    Sandi, thank you!

    I wasn’t so much surprised the Woodgrove Bank side had a red bar, it made sense to me, since I knew it was self-signed. Sorry if I didn’t make this clear.

    However, your comment that the certificate revocation has to be enabled solved the problem for me. I doubt this is the default setting anyway, I just cannot remember turning it off.

    I guess this was an obvious case of PEBKAC. And thanks to Eric for the reply as well =)

  24. Atât oprește Phishing Filter-ul din IE7 . De la lansarea lui în octombrie, Internet Explorer 7 a blocat

  25. EricLaw [MSFT] says:

    @Alex: Nice catch, and your analysis is spot on.

    This bug was only discovered after we shipped IE7; we’ll be fixing it in a future version.

  26. IEBlog says:

    I’ve talked several times in the past about Extended Validation SSL certificates and how they are a great