Mary Branscombe (marypcb) wrote,
Mary Branscombe

Internet Explorer 7: security considered harmful?

Whenever I write about Microsoft, there are always reader questions about whether a technology is being used to achieve unfair competitive advantage (because it's usually acceptable to use technology for a fair competitive advantage; that is after all what capitalism thrives on). I've recently looked at the changes in CSS and security for the Developer section of The Register (Getting your site sorted for IE 7 The Register and Getting on the right side of IE 7 security)and I had one reader question in particular.
"I just read your piece on IE 7 security. One statement that I found interesting was:
'the filter will also look for sites incorporating content or scripts from another domain'
Since most ad placement systems use scripts that point to another site, like Googles AdSense does this mean Microsoft will effectively be able to block ads from all their competitors... "

Short answer: no. But they might be able to spot redirect ad fraud scripts…

For one thing they're not actually that stupid ;-) At MIX 06, I think the two things I heard most from the IE team were 'sorry' and 'balance'. Sorry we didn't work on the browser as a new release for five years and we want to get the balance between features and security, between ease of development and security - or between just about anything and security - right. And while some search providers don't think supporting OpenSearch and highlighting every OpenSearch compatible site you visit to add as a search provider is enough (question: should the Google toolbar let me add other search sites to the drop-down so I could repeat the image search on Flickr?), the browser team are talking to too many of the ecosystem of Web sites and services to do something so obviously, cluelessly stupid.

Cue the usual distinctions between restricting the dangerous use of a legitimate thing without stopping the everyday use. What you're looking for here is scripts, content and links that divert you from what looks like a real site to the fake one – cross-site scripting attacks, scraping real images from paypal to make your phishing site look legitimate, replacing legitimate HTTP content on a mixed HTTP/HTTPS site (why that's so deprecated) so the instructions tell you to type into the insecure box rather than click the secure button.
Tags: articles, chris wilson, devreg, ie 7, internet explorer, mix06, phishing, security, technology, writing
  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded