Safety and Security on the Internet

Microsoft Internet Explorer

Security Center

 

About
Sources
Safety/Security
IE Security
MS Info
Misc
Home

 
Why Should I Worry About Security?
The Internet is a global collection of Interconnected Networks that facilitate information exchange and computer connectivity. The Internet is comprised of many different computers, all of which fall into two categories: servers (also known as "hosts") and clients (also known as "guests") -- technically, everything on the Internet can be considered a "host," but for this discussion, we'll use "hosts" and "guests." Guest machines send bursts of computer data called "packets" which are analyzed by the server belonging to the guest's Internet service provider. If the data is located locally (on the ISP's machine), the ISP's server will return the packets. If the information sought is not local (on another machine), the ISP's server hands off the packets to a router, which then sends the packets to the server containing the information. Once the information is located, it is sent back to the guest machine.

There are many different types of computers that fill these two categories: mainframes, minicomputers, PCs, Macintosh, Unix and others. Despite the many varieties of computers that combine to form the Internet, every computer connected to the Internet needs to be able to communicate with every other computer -- without this ability, there is no Internet. All of these computers are able to communicate because in a sense they can all speak the same language -- TCP/IP. TCP/IP actually isn't a language; it is in computer terms what is known as a "protocol." A protocol is simply a standard for transmitting and receiving bits of information. As long as all of the interconnected computers follow the same protocol, they can exchange information. Unfortunately, when data is sent from one computer to another on the Internet, every other computer in between has an opportunity to see what's being sent. This poses an obvious security problem.

Say you decide to purchase concert tickets on the Web. To do so, you need to fill out an electronic form with your name, address and credit card number. When you submit the form, your information passes from computer to computer on its way to the concert ticket web server. It is possible that someone could be watching the data passing through one of the computers that is in between your computer and the concert ticket server. No one knows how often this happens, but everyone concedes it is technically possible. And its also possible off the web, too -- E-mail can be captured (and read, if not encrypted), as can file transfers via unsecure FTP. If someone wanted to, it wouldn't be too difficult to connect a capture device to someone's phone line (assuming they use a modem to connect to the Internet) and steal an electronic copy of the data exchanged on the Internet. Even if you make your purchase on a secure web site supporting the latest security features, it has been recently shown that secure sites can cause Internet Explorer (and other browsers) to send sensitive information to a non-secure server in plain text format.

The point is, there are a lot of security issues related to a network such as the Internet. No FAQ could possibly cover them all. That is why this FAQ concentrates on Internet Explorer. Because there are millions of people who use Microsoft Windows family products, and because those millions have the ability to blend Internet Explorer with these products, the seriousness about security should be of paramount importance to everyone. Remember,  software products are only as secure as the environment in which they operate.

If after reading this you still aren't concerned about security on the Internet, visit http://www.digicrime.com for more eye-opening revelations.  You might also want to check out other Internet security sites, such as The WWW Security FAQ, The Computer Security Information Page at the NIH's Department of Computer Research and Technology, or The National Computer Security Association.

Microsoft has prepared a document entitled Review Criteria for Internet Browsers. There is an excellent section on browser security in it.  In addition, searches at http://www.excite.com or http://www.yahoo.com for "Internet", "Browser" and "Security" will provide a multitude of links to informative sites on this issue.

What are Bugs?
According to the 1996-97 edition of Microsoft Bookshelf, a software bug is "a defect in the code or routine of a program." The World AlmanacŪ and Book of Facts 1996 (registered trademark of Funk & Wagnalls Corporation) goes on to say that a bug "is an error in coding or logic that causes a program to malfunction or to produce incorrect results."   Bugs are different from design flaws, as design flaws aren't defective code.

What are Design Flaws?
Design flaws allow programmers to exploit vulnerabilities within an operating environment.  Many design flaws are mistakenly characterized as bugs (CNN, for example, characterized the Cybersnot and MIT problems as bugs in their report on these issues; then again, so did the Cybersnot folks). Design flaws are different than bugs, in that the code itself does not crash, produce inaccurate results or perform some other action indicative to bugs only. Design flaws can leave openings to critical and sensitive system and data files, which can be exploited by programmers.

What Security Features does Internet Explorer Have?
Internet Explorer is a safe browser in many ways. The latest version of IE supports Secure Socket Layer (SSL) 2.0/3.0, Private Communication Technology (PCT) 1.0, CryptoAPI, and VeriSign certificates, and one version employs 128-bit encryption, one of the strongest forms of encryption that's commercially available for use over the Internet. To see if you have the 128-bit version of Internet Explorer, go to the Wells Fargo Bank site and take their browser test.

"Secure Socket Layer (SSL) is a Netscape-developed protocol submitted to the W3C working group on security for consideration as a standard security approach for World Wide Web browsers and servers on the Internet. SSL provides a security "handshake" that is used to initiate the TCP/IP connection. This handshake results in the client and server agreeing on the level of security they will use and fulfills any authentication requirements for the connection. Thereafter, SSL's only role is to encrypt and decrypt the byte stream of the application protocol being used (for example, HTTP). This means that all the information in both the HTTP request and the HTTP response are fully encrypted, including the URL the client is requesting, any submitted form contents (such as credit card numbers), any HTTP access authorization information (usernames and passwords), and all the data returned from the server to the client." -- Microsoft's IIS 1.0 Features Tour. It has been reported, however, that SSL has been cracked.

Private Communication Technology (PCT) is a Microsoft-developed security protocol available in IE only. According to their Internet draft, "The Private Communication Technology (PCT) protocol is designed to provide privacy between two communicating applications (a client and a server), and to authenticate the server and (optionally) the client. PCT assumes a reliable transport protocol (e.g., TCP) for data transmission and reception. The PCT protocol is application protocol-independent. A "higher level" application protocol (e.g., HTTP, FTP, TELNET, etc.) can layer on top of the PCT protocol transparently. The PCT protocol begins with a handshake phase that negotiates an encryption algorithm and (symmetric) session key as well as authenticating a server to the client (and, optionally, vice versa), based on certified asymmetric public keys. Once transmission of application protocol data begins, all data is encrypted using the session key negotiated during the handshake."

IE also supports server and client authentication by using digital certificates to identify users to web servers. In addition, IE supports code signing with Authenticode, which verifies that downloaded code has not been modified. For more information on Authenticode, visit Microsoft's Authenticode page or the excellent Authenticode FAQ page.

CryptoAPI 1.0 provides the underlying security services for the Microsoft Internet Security Framework. CryptoAPI allows developers to integrate cryptography into their applications.

Microsoft has given a great deal of thought to the issue of security and it products, and Internet Explorer 4.0 is no exception. From "Security Zones" to continued support and refinement of Authenticode, IE4 promises to be one of the safest browsers of all time.  You can read all about the security available in IE 4 at http://www.microsoft.com/ie/ie40/?/ie/ie40/features/ie-security.htm. Also, check out what Microsoft is doing to keep transactions private with IE 4.

What are the Security Risks with ActiveX and Java?
There are flaws that exist in both ActiveX and Java that can be a potential threat to IE users. An excellent list of Java flaws can be found at http://www.javasoft.com/sfaq/.  The Java Security Web Site and Ed Felton's Java Security FAQ are must reads, as well.  Microsoft's Knowledge Base also contains an article (Q154559) on Java security entitled "Java Security Issues in Internet Explorer 3.0." There are two specific Java security issues that have been reported recently. One issue affects only Macintosh users of IE -- this is the problem discovered by Sun Microsystems. Microsoft posted a fix for this issue on March 14, 1997. The other issues is related to a Java applet in the IE cache. This issue affects only Win95/NT40 users who access a network on the same machine they use IE. Microsoft posted a fix for this issue on February 24, 1997.

ActiveX has it's own problems. As demonstrated by the Chaos Computer Club in Germany, ActiveX can be used to steal money out of unsuspecting users bank accounts. The full story can be read here. Even if you don't use PC-based banking, you should read this. Chaos used an ActiveX control to make Intuit's Quicken transfer money between bank accounts without the end-user be aware of the transfer until they discover the money is gone. This caused Intuit to issue a warning about ActiveX (see http://www.news.com/News/Item/0,4,8015,00.html for a C|Net story about this). Microsoft defended ActiveX in a follow-up article by C|Net.

To see more Java applet and ActiveX threats, check out http://www.withinreach.co.il/hostiles.

What are "Cookies?"
Cookies are small text files that are sent to web browsers by web servers.  The main purpose of cookie files are to identify users and to present customized information based on personal preferences.  Cookie files typically contain information such as your name (or username), password information, or ad-tracking information.  There is a good body of literature on  the Internet about cookies.  Despite what you may have read or heard, most people, including myself, do not view cookies as any kind of a security threat.  However, because of the way cookies work (e.g., a web server storing a text file on someone's hard drive), Microsoft (and other browser manufacturers) have built options into their browsers that notify users when cookies are being passed to them, and give the user an option to prevent the cookie from being accepted.  I don't think this is a good idea.  By rejecting cookies, your browser may not display the entire page or the site may not function as intended.

The reality is that cookies are text files -- they cannot contain viruses or execute applications, they cannot search your hard drive for information or send it to web servers, and most of the information they contain is simple tracking information designed to effect better customer service.