What Security Features
does Internet Explorer Have?
Internet Explorer is a safe browser in many ways. The
latest version of IE supports Secure Socket Layer (SSL) 2.0/3.0, Private
Communication Technology (PCT) 1.0, CryptoAPI, and VeriSign certificates, and
one version employs 128-bit encryption, one of the strongest forms of encryption
that's commercially available for use over the Internet. To see if you have the
128-bit version of Internet Explorer, go to the
Wells
Fargo Bank site and take their browser test.
"Secure Socket Layer (SSL) is a Netscape-developed protocol submitted to
the W3C working group on security for consideration as a standard security
approach for World Wide Web browsers and servers on the Internet. SSL provides a
security "handshake" that is used to initiate the TCP/IP connection.
This handshake results in the client and server agreeing on the level of
security they will use and fulfills any authentication requirements for the
connection. Thereafter, SSL's only role is to encrypt and decrypt the byte
stream of the application protocol being used (for example, HTTP). This means
that all the information in both the HTTP request and the HTTP response are
fully encrypted, including the URL the client is requesting, any submitted form
contents (such as credit card numbers), any HTTP access authorization
information (usernames and passwords), and all the data returned from the server
to the client." --
Microsoft's
IIS 1.0 Features Tour. It has been reported, however, that SSL has been
cracked.
Private Communication Technology (PCT) is a Microsoft-developed security
protocol available in IE only. According to their
Internet
draft, "The Private Communication Technology (PCT) protocol is designed
to provide privacy between two communicating applications (a client and a
server), and to authenticate the server and (optionally) the client. PCT assumes
a reliable transport protocol (e.g., TCP) for data transmission and reception.
The PCT protocol is application protocol-independent. A "higher level"
application protocol (e.g., HTTP, FTP, TELNET, etc.) can layer on top of the PCT
protocol transparently. The PCT protocol begins with a handshake phase that
negotiates an encryption algorithm and (symmetric) session key as well as
authenticating a server to the client (and, optionally, vice versa), based on
certified asymmetric public keys. Once transmission of application protocol data
begins, all data is encrypted using the session key negotiated during the
handshake."
IE also supports server and client authentication by using digital certificates
to identify users to web servers. In addition, IE supports code signing with
Authenticode, which verifies that downloaded code has not been modified. For
more information on Authenticode, visit Microsoft's
Authenticode
page or the excellent
Authenticode
FAQ page.
CryptoAPI 1.0 provides the underlying security services for the Microsoft
Internet Security Framework. CryptoAPI allows developers to integrate
cryptography into their applications.
Microsoft has given a great deal of
thought to the issue of security and it products, and Internet Explorer 4.0 is
no exception. From
"Security
Zones" to continued support and refinement of
Authenticode,
IE4 promises to be one of the safest browsers of all time. You can read
all about the security available in IE 4 at
http://www.microsoft.com/ie/ie40/?/ie/ie40/features/ie-security.htm.
Also, check out what Microsoft is doing to keep
transactions
private with IE 4.
