Microsoft will dump SSL 2.0 encryption in the upcoming Internet Explorer 7 for a stronger security protocol, TLS 1.0, the IE 7 development team has revealed.
The default settings for the HTTPS protocol in IE 7 will be for TLS (Transport Layer Security) 1.0. In the current Internet Explorer, TLS must be enabled by the user, via the Tools/Internet Options/Advanced menu.
IE 7 will also block access to Web sites that offer up a problematical digital certificate. If a certificate's been issued to a host name other than the URL's actual hostname, or the certificate was issued by an untrusted root domain, IE 7 will put up a message that explains the problem. If the user chooses to proceed, IE 7 will tint the address bar red as an additional warning.
Additionally, said IE program manager Eric Lawrence in the group's official blog, the Windows Vista version of IE 7 -- the browser will come in two editions, one for Vista, the other for the current Windows XP SP2 operating system -- will include new encryption algorithms, such as AES (Advanced Encryption Standard).
"Generally, IE users will not notice any difference in the user-experience due to this change; it’s a silent improvement in security," explained Lawrence.
Web site owners, he said, will have to make only a simple change, if that. "Our research indicates that there are only a handful of sites left on the Internet that require SSLv2," he said. "Adding support for SSLv3 or TLSv1 to a website is generally a simple configuration change."
SSL 2.0, the protocol IE's abandoning, has been used by attackers to breach and compromise systems. In April 2004, Microsoft revealed a vulnerability in Windows servers involving SSL 2.0. And earlier this month, OpenSSL disclosed a vulnerability that could force users' machines to negotiate with servers with the more-vulnerable SSL 2.0.