Problem solve Get help with specific problems with your technologies, process and projects.

Web security features of Internet Explorer 8

Internet Explorer 8 will go a long way toward solidifying various Web standards, but it lacks significant improvements in security. Learn about domain highlighting and other changes in this tip.

This week, I took the current beta version of Internet Explorer 8 (IE8) for a test drive. Right now IE8 is still in its first beta release, but it is far enough along that we can at least get an idea of what the finished product may look like.

As you read this article, there are two things to keep in mind: First, because this is an early beta release, anything that I've talked about could potentially change by the time Microsoft finally releases the product. Second, I am limiting my discussion primarily to talking about the features that have to do with security.

Figure A

This is what the user interface for Internet Explorer 8 looks like. Click to enlarge.

Now let's talk about these security features. Internet Explorer 7 was designed primarily to address the security shortcomings of the previous IE version. In contrast, though, Internet Explorer 8 is a lot less about security and more about standards. In fact, Microsoft cited better support of Web standards as one of its major goals in creating IE8. Also cited were improvements in RSS, cascading style sheets (CSS) and Ajax support. Although Microsoft mentions better security as one of its goals in creating IE8, that goal seems to be secondary.

Microsoft Web security
Reduce your Web server's attack surface

Tips on hardening and securing IE7

IT Knowledge Exchange

 The fact that Microsoft designed Internet Explorer 8 to better support various Web standards is both good and bad. It's good from the standpoint that more consistent support of the various standards should enable Web developers to create sites that are more secure because they use standardized code. On the other hand, Internet Explorer has a long history of not enforcing a lot of the Web standards. Therefore, many sites that are in use today won't fully comply with some of the Web standards that will be enforced in Internet Explorer 8 and that means a lot of websites won't function correctly.

As a way of easing the burden caused by this incompatibility, Microsoft has designed Internet Explorer 8 so that it emulates Internet Explorer 7 if necessary. As you can see in Figure B, the Emulate IE7 feature is prominently displayed on the Tools menu. I can't help but wonder if the emulation will expose Internet Explorer 8 to many of the same security threats that made Internet Explorer 7 vulnerable.

Figure B

Internet Explorer 8 can emulate IE7. Click to enlarge.

Another security feature that's shown in Figure B is the Safety Filter. From what I can tell, the Safety Filter seems to have replaced the Phishing Filter found in Internet Explorer 7. The Safety Filter is designed to detect Phishing sites, but it also detects websites that are known to be malicious and analyzes the full URL string looking for malicious code. The idea is to take a more granular approach to preventing attacks.

Another new security feature is called domain highlighting. The basic idea behind this feature is that the address bar displays the domain portion of the URL in black, while the remainder of the URL is grayed out. This feature probably doesn't sound like a big deal, but some websites are designed to conceal their identity by including text in the URL string, which tricks users into thinking they are on a different site. Domain highlighting leaves no doubt as to which site a user is actually on. You can see how the domain highlighting feature works if you look at the address bar in Figure C.

Figure C

The address bar demonstrates the domain highlighting feature. Click to enlarge.

The security features I have mentioned are nice to have, but I would hardly call them life-changing. Sadly, these are the only new security features that Microsoft even mentions on the IE8 beta site. It is possible that there are other security features that work behind the scenes and have not yet been disclosed.

About the author: Brien M. Posey, MCSE, has received Microsoft's Most Valuable Professional Award four times for his work with Windows Server, IIS and Exchange Server. He has served as CIO for a nationwide chain of hospitals and healthcare facilities, and was once a network administrator for Fort Knox.

Dig Deeper on Web browsers and applications

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.