Scott Hanselman

The Wisdom of IE7 and Suspicious Web Sites

October 10, '06 Comments [3] Posted in ASP.NET | Musings
Sponsored By

IE7 does a very good job of warning you in a more in-your-face way when something doesn't smell correct. Since IE7 is imminent (that means this month, folks) you need to be prepared as it will get delivered via a high priority automatic update and likely spread faster than IE6 did.

There's a good checklist at the IEBlog:

Download, install and test your products with IE7 RC 1 –This is the fastest and best way to test for compatibility issues.

Download the IE7 Readiness Toolkit - This toolkit pulls together a number of important resources to help you prepare for IE7.

Download and use the Application Compatibility Toolkit – Helps test browser-based applications to ensure they work with IE7.

Visit the Microsoft Internet Explorer Developer Center – You will find an array of important information for developers.

Use the Information Index for Internet Explorer7 – A table of contents linking you to documentation, blog posts, whitepapers and other information on IE7.

Read the IE Team Blog – Use the search feature on the right to find previous posts on almost any topic you can think of with regard to IE7.

These are good resources, but while there will likely be strange CSS and HTML bugs, they won't be as "in your face" as the SSL Certificate related errors that would really cramp your style.

Here's a few gotchas to watch for:

"There's something wrong with the certificate" - This means that the DNS name registered to the certificate is NOT the name in the Address Bar. In this example I visited a valid site using it's IP address rather than the DNS name. This is a common thing for folks to use in development when they access internal sites via IP. You can get around this by setting your HOSTS file to use the correct DNS entries while you're in development/staging.

Note that this warning isn't specifically the new IE7 Phishing Filter, but rather a much better calling out common problems with SSL certificates. Certificate revocations or problems confirming the legitimacy of a cert from it's issuing body will turn the address bar YELLOW.

Ie7sslnavigation

If you insist and click on "Continue to this website (not recommended)", your address bar will turn RED and you'll get a big scary "Certificate Error" light up. If you click it, you'll see a dialog like this:

Iesslcert

"Reported phishing website" - If you're an evil phisher, or you've visited an evil phisher's website, you'll see this even scarier dialog:

Ie7phishing

"Suspicious Website" - If the site is dodgey, but not confirmed evil, your address bar will turn YELLOW:

Suspect-sm

Be ready, make sure your certs are valid and you're addressing them correctly.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb
Tuesday, 10 October 2006 09:44:08 UTC
Following through on the links, there are number of people complaining about not being able to test with side-by-side installations of IE6 and 7 on the same PC. I wonder how many websites (and other products) out there are being 'tested' with such half-assed strategies (the old "let's develop and test on an unnaturally bastardised system that no end user will have and call that a meaningful test" strategy). With VirtualPC being free, and with existing OS licenses valid to a limited number of VMs on the same machine, it is surprising to see such resistance.

As for me, I am simply hoping that IE7 will be able to read the websites that IE6 instantly crashes on and we'll see the end of IE6's DEP crashes when downloading large files. I wish that the XP version matched the existing desktop though - encouraging upgrades through cosmetic inconsistancy? (;P)
Tuesday, 10 October 2006 15:38:39 UTC
FireFox has been using yellow address bars to show SECURE sites for, what, years? Now IE uses it for SUSPICIOUS sites. So, when I fire up IE because the MSFT site I'm on at the mo' doesn't support FireFox, I'll have to remember that if I see yellow in the title bar, isn't not because of HTTPS, but because it's suspicious.

Awesome!
Wednesday, 11 October 2006 06:25:16 UTC
I second what Jeff Key says. Making a yellow address bar mean a site is insecure flys in the face of the current defacto standard.

Thanks, Microsoft, for making being safe on the 'net just that much more confusing.
mikeb
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.