The Hazards of Relying upon Browser Quirks

While many web developers find subtle browser behaviors baffling, often browser developers are bewildered by web content. Yesterday, we ran into an interesting site compatibility problem that occurs in the latest internal version of IE9. The site in question is a popular site which uses a Flash applet as a major component of the site. Upon attempting…


HTTPS Caching and Internet Explorer

From time-to-time, I get questions about Internet Explorer’s behavior when it comes to caching of HTTPS-delivered content. It comes as a surprise to many that by-default, all versions of Internet Explorer will cache HTTPS content so long as the caching headers allow it. If a resource is sent with a Cache-Control: max-age=600 directive, for instance,…


AES is not a valid cipher for SSLv3

A Windows 7 user of Fiddler encountered an interesting error this morning, and it reminded me of an interesting HTTPS compatibility problem we found in the Windows Vista timeframe. The user is trying to visit with Fiddler running in HTTPS-decryption mode. Fiddler uses the SslStream class to communicate with upstream servers. As in IE…


Understanding Certificate Name Mismatches

Recently, I received a query from the Windows Mobile team– they had observed that visiting triggers a certificate name mismatch error on IEMobile, but doesn’t seem to trigger any error on Windows 7 when using the desktop versions of Internet Explorer or Firefox. Now, long-time readers know that I love a good mystery, so…


Internet Explorer Cannot Download https://something

Earlier today, I was asked to troubleshoot a secure site where file downloads were always failing. Having seen this problem many times often over the years, I immediately suspected that the web developer wasn’t aware that if a user tries to download* a file over a HTTPS connection, any response headers that prevent caching will…


Client Certificate Selection Prompt

The HTTPS protocol allows a secure server to request that the client verify their identity with a client certificate during the initial secure handshake. By presenting a client certificate, the browser helps further defeat man-in-the-middle attacks and authenticates to the web server more securely than when using just a username and password. Internet Explorer’s behavior…


Getting the Server’s Certificate Chain from WinINET

Over the last few years, a number of folks have lamented that there’s no good way to get the server’s complete certificate chain from a WinINET HTTP response. That has changed with the release of the new WinINET shipping in Windows 7 / IE8.  INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT is a new flag you can pass to InternetQueryOption to grab the server’s certificate chain….


Handling Mixed (HTTPS/HTTPS) Content

Update: IE9 includes improved handling of Mixed Content. Click to learn more… Background As we developed Internet Explorer 8, we spent quite a bit of time pondering what to do about IE7’s infamous “Mixed Content” warning prompt:     As I noted on the IEBlog four years ago, the mixed content warning occurs when a…


Windows 7 adds support for TLSv1.1 and TLSv1.2

Windows 7’s updated crypto stack (schannel.dll, etc) offers support for TLSv1.1 and TLSv1.2.  While disabled by default in IE8 (for compatibility reasons; some legacy sites will fail to connect when the updated TLS version is offered) the new protocol versions can be enabled by checking the appropriate boxes at the bottom of Tools / Internet…