Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers

Today I want to tell you about both our established plan to highlight secure sites in IE7 but also to tell you about some early thinking in the industry about creating stronger standards for identity on the internet.

IE7 will join other browsers like Firefox, Opera and Konqueror in making the experience for secure (HTTPS) sites more visible by moving the lock icon into the address bar. We think the address bar is also important for users to see in pop-up windows. A missing address bar creates a chance for a fraudster to forge an address of their own. To help thwart that, IE7 will show the address bar on all internet windows to help users see where they are. IE7 will also help users avoid fraudulent sites if users choose to use the Phishing Filter to check a site for known phishing activity.

Today the lock icon in your browser window fundamentally means that your traffic with the website is encrypted, and that a trusted third party, known as a Certification Authority, has identified the website. Certification Authorities offer certificates with broadly different levels of background checking for the website. Unfortunately, there is no industry standard method for anyone to tell what level of background checking was performed for a given site.

On Wednesday, we met with folks from other browser vendors including Mozilla (which is the basis of Firefox), Opera and Konqueror to discuss this situation (other browser vendors were invited but weren’t able to attend). George Staikos from Konqueror was good enough to host all of us in Toronto. Along with picking up the tab for lunch, George brewed coffee strong enough to bring weary travelers from Oslo and Redmond into the same time zone. Microsoft and others in the group think our users should have a better experience when they visit a website that passed a more rigorous identification process.

As a counter-example to how we might handle highly-identified sites, I presented the IE7 Anti-Phishing User Experience for known phishing and suspected phishing sites. The Phishing Filter shows warnings to users when it detects a site that might be trying to misrepresent its identity.

When the Phishing Filter is in use, IE will fill the address bar with red for known phishing sites (Fig 1) and with yellow for suspected phishing sites (Fig 2). In both cases, the address bar will include text that explains that the user should effectively either “stop” or proceed with “caution”. In IE7, most normal sites including those with “the lock” today will not have a color-filled address bar.

Fig 1, IE7 address bar for a known phishing website detected by the Phishing Filter 

 

Fig 2, IE7 address bar for a suspected phishing website detected by the Phishing Filter

If the browsers and the Certification Authority industry can generate better guidelines to identify web sites, we want to take the experience in the address bar a step further to help create a positive experience for rigorously identified HTTPS sites. We have implemented a green-filled address bar in IE7 for sites that meet future guidelines for better identity validation. Along with the green fill, our current design for the address bar includes the name of the business (Fig 3.1) alternating with the name of the third party Certification Authority who identified the business (Fig 3.2). We think this alternating presentation of business name with Certification Authority name is the right balance of user notification and simplicity. 

Fig 3.1, IE7 address bar for a site with a high-assurance SSL certificate
(showing the identity of the site from the SSL certificate)

 

Fig 3.2, IE7 address bar for a site with a high-assurance SSL certificate
(alternating in the name of the Certification Authority who identified the site)

I know that Frank and Gerv from Mozilla, George from Konqueror and Yngve and Carsten from Opera have their own thoughts for an improved certificate standard and how they would handle that in the user experience.

I wish we could promise you that you will see this experience in IE7 and its equivalent in other browsers but there are a lot of details to work out before browsers can differentiate SSL sites based on how well vetted they are. For this to work, Microsoft, Mozilla, Opera and Konqueror, amongst others, think there should be some common validation guidelines for rigorous website identification. There is a lot of preliminary agreement but also a lot of work to do. The American Bar Association Information Security Committee is providing a forum to pursue this. You can check back with us and other browsers to see how the process moves along.

 - Rob Franco (with lots of help from Kelvin Yiu and Tom Albertson who work on PKI for Windows)

November 23 Update: You can read more about our meeting in posts from other browser developers who attended:

• George from Konqueror posted "Web Browser Developers Work Together on Security",
• Carsten and Yngve from Opera posted “A Truce in the Browser Wars: Toronto Ideas Create Common Ground”
• Frank Hecker from the Mozilla Foundation posted “CAs, certificates, and the SSL/TLS UI”

Comments

• Anonymous
  January 01, 2003
  You might wanna link your images diffrently ;)

• Anonymous
  January 01, 2003
  Yep. I noticed that too once it went live. I fixed the URLs. There was a conversion error between local and remote locations.
  
  Thanks!
  
  - Al Billings [MSFT]

• Anonymous
  January 01, 2003
  what's user xp for people who are color blind?

• Anonymous
  January 01, 2003
  Each state is accompanied by both text and appropriate icons. The state can be read without a need to see the color.
  
  - Al Billings [MSFT] (who is mildly colorblind)

• Anonymous
  January 01, 2003
  In addition to the icons and text, it's probably worth reiterating that, in the event that IE knows something is bad (e.g. Certificate Error or Known-Phishing site) navigation is interrupted by a blocking error page. Hence, such errors are unlikely to be overlooked, even by the color blind.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  You guys are too fast, provided info of ways to help before I finished my post... Keep up the great work

• Anonymous
  January 01, 2003
  Please don't use yellow for suspicious sites as it's already been used for HTTPS sites on Firefox. What did you get out of that meeting how to confuse cross-browser users the most?
  
  Additionally, what's with this alternating thing? You're not going to constantly alternate while people are browsing are you?? That would make blinking text look like a kitty next to this beast of an annoyance.

• Anonymous
  January 01, 2003
  I second that about please don't use yellow for the "suspicious site" color. Firefox did a great thing making the address bar a different color when browsing secure sites, so please don't go breaking the experience by making it confusing to go between the two browsers.
  
  I can totally understand the want to make it red, yellow, green for the different states, but either be consistent with what is out there or start a conversation with the Mozilla guys and get them to play along with your new color scheme.

• Anonymous
  January 01, 2003
  I say make it red, yellow, green! Just because other browsers use non-sensical colors for security doesn't mean you have to. BE DIFFERENT!
  
  

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Rob & Co, thanks for the thorough post and thorough thinking.
  
  As an app developer for my company's intranet, I do try to make web apps as "app-like" as possible, and part of this is the use of nice, clean, uncluttered popups.
  
  I do appreciate your intentions here (security first), but boy, an address bar in a popup is real distracting from the content. How about letting the developer control the address bar for Trusted Sites or the Intranet Zone? Ditto on the status bar.
  
  Cheers,
  - M

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Hi all!
  
  I would suggest that this colour-coding for the address bar be implemented across all Web-browsing plwtforms. The code could be made commonly available for implementation in browsers like Apple Safari for example.
  
  Also, a good idea would be to shoehorn the code for the phishing-control functionality so the functionality does exist but is available for use in embedded Web browser applications like set-top boxes for example.
  
  With regards,
  
  Simon Mackay

• Anonymous
  January 01, 2003
  I really like this; it conveys a considerable amount of information in a relatively compact and elegant way. Just please make sure the alternating text is as subtle as possible. Also, I prefer the red / yellow / green color scheme over Firefox's FWIW. :-)

• Anonymous
  January 01, 2003
  The problem is that people switching from IE to Firefox will think that secure sites are actually potential phishing sites, and people switching from Firefox to IE will think that potential phishing sites are secure sites! Imagine the confusion!
  
  Other than that major caveat though, the red/yellow/green thing isn't too bad of an idea...

• Anonymous
  January 01, 2003
  Please consider changing "phishing" to "dangerous" or something like that. Besides being less confusing for the average user, it will be easier to translate to other languages.
  
  I agree with those who said that alternating text would be annoying. Just show the subject name; the issuer name will be meaningless for most users anyway.

• Anonymous
  January 01, 2003
  I second Dylans opinion above. Well said.

• Anonymous
  January 01, 2003
  To me, the descriptive text is too big. Maybe it's better to use "popup text" instead?

• Anonymous
  January 01, 2003
  I like the colour coding method chosen here (although I can see problems when it comes to IE / Firefox users and the yellow status, with one thinking a site is secure, while the other thinking it is a phishing site).
  
  I just wanted to ask if you'd considered adding the colour status to the individual tabs as well? As I feel that would stand out more so as well.
  
  Also, what do the two arrows (which look like they are spinning) next to the security message refer too?

• Anonymous
  January 01, 2003
  What happens when a site hides the address bar, and places an image of a fake green address bar at the top of the page? (as already done by many scam sites).
  
  Even if a site cannot hide the address bar, having the 'double' address bar, with one green and the other white, a casual glance to the top of the page lets the eye see the green bar, ignores the white, and the user would proceed with a false sense of security.
  
  I know not much can be done about this, but what about colorizing the status bar, toolbars and window frames etc instead of the 'client' area? Too much customization of how the address bar can appear, esp if sites can modify it, harms the standardized way of recognizing safe sites. I hope much of this cannot be changed in IE7, even if it hurts customization of the browser.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  <<Also, what do the two arrows (which look like they are spinning) next to the security message refer too? >>
  
  Chris, this is the icon for the refresh button.
  
  <<What happens when a site hides the address bar, and places an image of a fake green address bar at the top of the page?>>
  
  Shane, this is not possible, as noted in the post.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  I prefer the IE7 colours for the address bar. It makes sense, more sense than the Firefox colours if you think about it.
  
  >>What happens when a site hides the address bar, and places an image of a fake green address bar at the top of the page?
  >>Shane, this is not possible, as noted in the post.
  
  This worries me a bit though. Firefox puts the domain in the title of the window (before the window title) when there is no address bar. While this pushes the title of the window off the edge in a lot of cases, it's still a less intrusive solution. That way the user can see the domain is the same, but doesn't change the size/style of the popup. For a lot of popups on the sites I manage, we hide the address bar on purpose to a) keep the window style clean, and b) to hide the URL so people don't try to mess with the site (because they do).
  
  If you put the domain in the title, you could still easily throw up a "Warning, suspected phishing site!" page before loading the window's document.
  Can you tell us the reason you chose this method instead of the titlebar method?

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  I think the cross-browser color difference is overblown.
  
  I don't see a good use for the color green, though.
  
  I can buy the red... and even the yellow. But HTML injection vulnerabilities are just too common to have a "green" state, IMHO.

• Anonymous
  January 01, 2003
  I also add my disagreement with the use of yellow for suspected sites.
  
  Even if the color yellow in general conveys a sense of warning, I believe it's too late to use it. The Firefox issue is not a small one, but in addition, the color of the HTTPS lock on IE 6 is already yellow as well.
  
  The IE team should have the protection of end users in its heart no matter which browser is being used, and sending mixed signals between different browsers would not be conducive to this.
  
  Overall, though, this is a great feature, and I'm glad we'll be seeing it soon.

• Anonymous
  January 01, 2003
  Quite a few posters have commented about possible confusion between the gold address bar for HTTPS in Firefox and the suspicious state for the IE7 Phishing Filter. I agree that’s a possible issue and we’ll continue to discuss with other browser vendors.
  
  Folks should bear in mind that most sites will probably not have color-filled address bars in IE7 as described. Today’s ordinary SSL sites will show the lock in the address bar but will not include any color fill.
  
  I want to make sure folks understand our commitment to the experience for visually-impaired users. The color effects in the address bar are just one way for us to highlight the differences between sites. There will be text and icons in the address bar. Eric makes a great point that in the case of a confirmed phishing site or the case of a certificate error, IE will back up the address bar warnings with an error pages to help the user
  
  Matt Sherman and John Bilicki both asked about how the persistent address bar will impact trusted sites and intranet sites. By default the persistent address bar won’t show up for pop-ups in the trusted sites and intranet sites zones. The persistent address bar for pop-up windows will follow the window size and position restrictions security setting. If you’re a desktop administrator, you’ll be able to control this setting through group policy. If you’re a web developer for intranet or trusted sites, you’ll be able to enable and disable the address bar the way that you can today.
  
  As always, thanks for the feedback!
  Rob Franco [MSFT]
  

• Anonymous
  January 01, 2003
  I do think that the color thing is good, and I'd agree that it should probably be changed to orange to avoid confusion with Firefox in the near term. The problem I have however is disallowing javascript from removing the address bar in all allowed pop-up windows. I think that displaying the URL in the actual windows topbar for the application is fine. It would be a large waste of space to have the address bar always visible in the popups, and will deter developers from pop-up windows. This will make developers us css popups and the like. These are even more annoying to users as their pop-up blockers can not stop this. It will also hurt web application development, and make even casual application developers have to get HTTPS, not an inexpensive proposition to an ameteur web developer.
  
  It might be better to have IE control pop-ups in known or suspected phishing sites, but in sites that have no prior security violations, javascript should behave as normal IMHO. How about a little innocent until proven guilty.

• Anonymous
  January 01, 2003
  These are good thoughts but not practical.
  
  The reason is too many colours make things worse. When we develop Tablane browser(it is based on IE engine for now), we tested many colours for Tab, such as Read, Unread, Bookmarked, HTTPS site, Tab with comments, etc. We confused ourselves. What colour represents what? In the end, we get the clue, keep the colour scheme simple and use the colour to identify something different, but not expect the user memorizing it quickly/firmly. If expect user to remember it, just one colour for HTTPS is enough.
  
  Comparing with traffic light seems reasonable, but it is wrong in user interface design. When driving, you must concentrate to the traffic light, it is such built in risk involved. So many years we have been taught: red, yellow and green. But for surfing the net , it’s very relaxing. It is more concentrated on content. Just to signal HTTPS site, is simple and effective.
  The colour usage is even not intuitive. With icon we know 70% what it does. With colours, how can we agree the same colour binds to the same thing?(if in multiple colours environment).
  
  It is much better for most browsers to use the similar colour by default, and leave some space to let user customize it under some guidance.
  

• Anonymous
  January 01, 2003
  <<Check the repeated misspellings in the screenshots you posted>>
  
  Brett, are you referring to the spelling errors in the Phishing examples? Those are taken from actual Phishing sites that have been found in the wild.

• Anonymous
  January 01, 2003
  <<make even casual application developers have to get HTTPS, not an inexpensive proposition to an ameteur web developer.>>
  
  Onezero, I'm not sure I understand this concern. Using HTTPS has no impact on the fact that all popup windows will show the address bar.
  
  (It's probably worth mentioning that a "domain control" SSL certificate can be had for ~20$.)

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  <<
  It's probably worth mentioning that the lock will not be visible on a suspected phishing site, so the likelihood of user confusion is relatively lower.>>
  
  I'd like to get a clarification on this - the lock is not shown for a site (with a cert, and a working HTTPS connection) that the phishing heuristic flags as suspicious? Will this be a problem for the (somewhat common) sites like Wikis or forums that use self-signed certs?

• Anonymous
  January 01, 2003
  With Firefox(1.5RC3) the address bar colour can be changed by the theme. The current theme I am using has green as the colour for https.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  <<Will this be a problem for the (somewhat common) sites like Wikis or forums that use self-signed certs?>>
  
  Actually, for a self-signed certificate, this scenario would show up as a red/blocked navigation unless the user explicitly added the site's certificate to his trusted store.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  One suggestion I have is to change the text Phishing to Dangerous. This way you don't have to worry if the user understands the term "Phishing". I know if I saw a red URL field with the word Dangerous, it would sure catch my attention quickly vs. the URL field displaying Phishing.
  
  When the URL field shows that a site is safe, why not just tell the user exactly that. Right now you have the URL field showing certification information about the site. I personally like how it shows certification information, but the average user isn’t really going to care about that and will probably get confused over it.

• Anonymous
  January 01, 2003
  Nice ideas.
  
  I'm wondering really though why firefox is an issue. The GOLD/YELLOW colour is the CURRENT STATE in firefox for SSL Encrypted sites.
  
  That remains the same with this new scheme, with the addition of the GREEN for properly verified and configured SSL sites.
  
  So nothing has actually changed here for firefox.
  
  The new user education task is that you should only trust sensitive / confidential information to GREEN sites. Hopefully banks / paypal / ebay etc. can send out some straightfoward flyers or something to their customers. - Although I doubt it! The people who are targetted most by phishing seem completely oblivious to any technicial measures available to help reduce the problem.
  
  Jason.

• Anonymous
  January 01, 2003
  Nice ideas.
  
  I'm wondering really though why firefox is an issue. The GOLD/YELLOW colour is the CURRENT STATE in firefox for SSL Encrypted sites.
  
  That remains the same with this new scheme, with the addition of the GREEN for properly verified and configured SSL sites.
  
  So nothing has actually changed here for firefox.
  
  The new user education task is that you should only trust sensitive / confidential information to GREEN sites. Hopefully banks / paypal / ebay etc. can send out some straightfoward flyers or something to their customers. - Although I doubt it! The people who are targetted most by phishing seem completely oblivious to any technicial measures available to help reduce the problem.
  
  Jason.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Thank you for the heads up on developments in Anti-Phishing. As a web application developer I feel that the work done recently, and the openness about it, has been nothing but very positive.
  
  While I think the colouring of the address bar is a great idea, I believe it needs to be implemented consistently across all browsers, otherwise it will cause more confusion than benefit. Which is why the discussion you've just talked about is so important, and such a good sign that it has occurred.
  

• Anonymous
  January 01, 2003
  I like the color schemes. However, how about for green, to make the color gradient. From the left of the URL bar a more solid green fading to a lighter shade at the far right of the bar. In this way those who are color blind could see a secure site without having to read the secure site caption. At the same time, those who can see color would not be annoyed by a solid green color extending all the way across the bar.
  
  --Andre
  

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  While disallowing web sites from hiding the address bar using javascript (with the exception of pop-ups) is a good idea, the user should have the flexibility to resize, move or even hide the address bar (independet of the tab bar). This was a major improvement over other browsers in IE6 and earlier.
  
  I am suggesting this because I have developed an alternative address bar for IE6. But think also of the following usage scenarios that rely on hiding the address bar:
  
  * saving real estate (for example in pop-up windows)
  * restricting usage (disallow users to enter URLs)
  * user is not interested in the address (think of kiosk mode when no keyboard is available)
  * using a 3rd-party toolbar for navigation
  (like the Google or Quero Toolbar)
  
  Viktor

• Anonymous
  January 01, 2003
  Firefox is already using yellow for secure sites - and it works really well. I look for this yellow rather than looking for the padlock icon. That said - I wouldn't mind if it becomes green across all browsers and these colours were to be standardised. Showing the company name, now we have more screen real estate to show it in, also makes sense.
  
  Another nice feature is a warning if you use an URL with embedded username and password and the site on the other end does not require authentication - this being a common trick with phishers, but presumably one they can fix once detection becomes common place.
  
  

• Anonymous
  January 01, 2003
  Colours are great idea, stay with red, yellow, green. The firefox lovers will always complain, tell you to look like firefox and if you do say your just copying them. I use firefox and IE, (though I have a feeling with IE7 will go almost fully to IE7 when it goes gold)
  The first time I saw yellow in the address bar in firfox, I thought firefox was trying to warn me. Yellow=caution/warn I oon realized it was not supose to be a warning but reasurance, but even today when I go somewhere and it goes yellow, I have slight reaction of "wait, is this securue" before my knodge of fixox sinks in and I know fixfox messed up with its colour choice to represent secure.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  My suggestions:
  
  1 - Let users choose their own colors for each status, including an option for no color. Also, as you currently do when visiting a secure site, popup a dialog describing the status change, with an option to change color scheme, as well as an option to not show the dialog again.
  
  2 - Don't rotate text for SSL identification. Personally, I say just show the icon, and let everything else be in a tooltip or dropdown. Otherwise just show the CA, and company name and cert details are in tooltip/dropdown.
  
  3 - Allow the user to control what sites can show/hide the address bar, menu, status bar, etc. You already have the zones (Internet, Intranet, Trusted, etc.). There are valid applications where it is best that this info not be available to the user, and in most of these cases this is for the benefit of the user themselves.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  I agree in part with Calzones. The yellow bar is confusing, and red should be used. I also like Melissa's idea about being able to show a hidden URL bar. Maybe use a collapsible bar, so that "hidden" really means "collapsed".
  
  Perhaps the following can be used:
  
  * Known phishing/unsafe site: Red URL bar + confirmation page before allowing site access. URL bar may not be hidden/collapsed from code.
  
  * Possible phishing/unsafe site: Red URL bar only. URL bar may not be hidden/collapsed from code.
  
  * Confirmed "good" site: Green URL bar. URL bar may be hidden/collapsed from code.
  

• Anonymous
  January 01, 2003
  Although the colours are a great improvement over nothing at all, there are better ideas. You should look at the Petname and Trustbar ideas for inspiration if the goal is to address phishing.
  
  Also, be aware that we are moving to direct attacks on certificate authorities, the scene is now set for phishers to use real certs, which will give rise to a new category: valid cert but reported as phishing site.
  
  Further, any statement made by the browser based on the cert lacks foundation unless the statement says which CA made the cert. Without the CA being presented on the chrome somehow, the browser is subject to substitute-CA attack, and all the validation ideas will fall to that if it is worthwhile enough. Users don't buy house insurance from Joe's Diner, so why would they accept a cert (or a statement) from some random CA that operates two continents away?

• Anonymous
  January 01, 2003
  Please make sure that all these color coded address bars include sufficient accessibility for the color blind, the blind and the visually impaired. Make sure that, along with colors, text shows the bar's status. It seemed this would be the case for red and yellow, but saw no such indication for green. Please don't forget about us!

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  I suggest you use an actual bright red, rather than the pastel pink in the exmple. Pink is soothing and calming and reassuring, not at all indicative of the lever of concern you wish to provoke in users when visiting a phishing site.

• Anonymous
  January 01, 2003
  <<Another nice feature is a warning if you use an URL with embedded username and password >>
  
  Internet Explorer has prohibited this syntax for HTTP(S) URLs for over a year. IE7 continues to prohibit this syntax, and such URLs will not navigate.
  
  Melissa-- The user may opt to ignore the phishing blocking page and navigate anyway. A persistent red warning will remain in the address bar while on the alleged phishing site.
  
  Iang-- Petname is a really interesting idea, but I'm not convinced that this is the simplest route to take for most end users. IE7 does expose new APIs which should make it much easier to write a Petname plugin for IE.
  
  Note that reported phishing sites are blocked, even if they bear a certificate. Furthermore, because we are turning revocation checks on by default in Vista, a phisher's certificate will likely be revoked shortly after the site is flagged as a phisher.
  
  As you noted, it's important that we show the name of the CA who identified the site, and hence we do so in the top-level IE chrome.

• Anonymous
  January 01, 2003
  Great Idea of using color in address bar.
  Since some have clor blindness, we can also
  consider the idea of putting 'tick' mark,
  'cross' mark and 'question/exclamation'
  mark in the address bar.
  

• Anonymous
  January 01, 2003
  I'm sorry to post this here. But I can't think of any other ways to find out the answer. It might be out of the topic but please.. Help me if possible.
  
  IE used to be able to surf RTSP links. However, IE now is unable to surf RTSP links. Why? And is there other way to surf RTSP links? It is because, we need to do this RTSP thing however, we realise that it is impossible now. Thus causing us to have diffculties in continuing our research.
  
  Thanks.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Well, as a long time Mozilla and Firefox user (in fact I don't run Windows at all) I say: that IE7 colour scheme is a great idea. I hope that other browsers will use it too. To me this makes a lot of sense and would add real value to user experience. Maybe using yellow for https-connections in Firefox/Mozilla was not a very bright idea - green might have been much better. But changing that shouldn't be a major problem - neither for the developers nor the users.

• Anonymous
  January 01, 2003
  TrustBar is a FireFox extension that already (and for a while already) implements several of these ideas, and others. In particular, it supports both petnaming of a site, i.e. to assign a name (or, with TrustBar, a logo) to a site, and also display Identified by and the logo (or name) of the organization and of the CA, like IE 7. You can install it via http://AmirHerzberg.com/TrustBar">http://AmirHerzberg.com/TrustBar.
  
  TrustBar is the result of secure usability study by Ahmad Jbara and myself, and has some other mechanisms, including random exercise training attacks to help users stay trained to watch for the name/logo of the site. (I must admit that this mechanism is now set for too frequent exercise attacks, we will improve this in our next release very soon, but you can also reduce or eliminate this using the user interface of course).
  
  We are very happy to see some of this research adopted by browsers. We have some more ideas we are investigating, and would love to cooperate with any browser developers to help improve security indicators. TrustBar is an open source, public domain project.
  
  BTW, I also had a student working on an IE version of TrustBar, but it didn't work well. He used IE 6 and couldn't get the certificate for the page.
  
  Best, Amir Herzberg
  
  Assoc. Prof., Dept. of Computer Science, Bar Ilan University
  http://AmirHerzberg.com

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  From Frank Hecker (see link above):
  
  <<Microsoft’s proposal provides more visibility for the CA issuing an extended validation certificate than is present in most current browsers (which to display the CA name typically require an extra user action like clicking on the lock icon or moving the cursor over it). Besides making users more aware of the role of CAs, this provides CAs with an opportunity to do the sort of brand-building mentioned in my previous post, and to that extent offers an incentive for CAs to participate in the market for extended validation certificates.>>
  
  Some comments state, that a tooltip should be used, instead of rotating the CA's name in periodically. I think, that Franks words really have merit. If we want to make the web secure, it takes efforts, and compromises from all: the industry, the browser vendors and the users. So I will gladly accept some rotating info in my address bar, if that gives the CA industry the incentive to adopt the stronger rules. In the long run, I think this will pay off.
  
  So to Microsoft I say:
  You are on the right way, and a little more farsighted than some of the people who have commented here. My congatulations!
  
  Branko
  
  --------
  If you find spelling mistakes, you can keep them. They are there for free!

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Will IE 7 still use the Revocation information provider API for automated OCSP checks on websites ssl certificates ?
  
  cf http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/rpcrypto.asp?frame=true
  
  How will the results be displayed by IE 7 ?
  
  

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Well guys... I can see here Microsoft fans only... With some sugar and honey on their mouths... "Oh, lovely colors, Microsoft! Love them!".
  
  The only good thing about this is that Microsoft was staying on one table with Konqueror, Opera, Mozilla. For the first time we don't see things like "We are the only one!". Because you're not.
  And if this comment will stay here /I suppose someone will delete it/, please guys! Begin to produce more normal products like browsers and operating systems. Please!
  I hope someone will read it!
  Have a nice day! And a lots of luck, using IE and Windows :)

• Anonymous
  January 01, 2003
  No question, if I was to use the phishing filter, that would be effective and look good.

• Anonymous
  January 01, 2003
  To Victor. Well, I use IE, antivirus and firewall, no realtime antispyware and for about 2 years I got 0 infections, so why should I change?! ;)
  By the way, it would be nice, if it would be possibility to turn off the coloring of the whole link (that is good for newbies). The coloring of the square behind the link is noticable enough. As I have heard, then in IE 7 beta 2, the Favorites menu will be put above tabs, such a pity, it would be great, if its position would be changeable.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  @Eric
  
  Of course that is there, but do you think the average user knows about all the nooks and crannies of the system? Or even just IE? ActiveX controls can still run, but in order to access the computer, they should require special cryptographic keys for access permissions along with Administrator permission... That ensures greatest security... Of course that could be made optional... Also, you should move IE's info bar to somewhere that is locked in place because as I am browsing in FIREFOX, I saw the IE info bar appear just below the bookmark bar to install "ActiveX controls" from Yahoo!.... Maybe merge info bar with a locked status bar at bottom of screen that turns Dark Blue with white text for info bar...

• Anonymous
  January 01, 2003
  It amazes me how many people still fall for phishing attempts when I'm doing awareness training.
  
  It will be good to have something that can combine education with prevention.

• Anonymous
  January 01, 2003
  Any word on when BETA 2 will be released. I'm not a tester.. but i've got several projects on the go which i'd like to test in IE7.

• Anonymous
  January 01, 2003
  Joe
  7th december is the date that I have seen for Internet Explorer Beta 2.
  
  I hope that the IE team can deliver on the so far scheduled month of march 2006. :)

• Anonymous
  January 01, 2003
  Images don't load, the server just waits doing nothing, so downloading the images eventually fails on timeout.

• Anonymous
  January 01, 2003
  <<Images don't load, the server just waits doing nothing, so downloading the images eventually fails on timeout.>>
  
  Sorry about that. Through a quirk of our current blogging system, images are hosted on a different server which has been having problems since yesterday. We've notified the operations team.
  
  For the moment, you can see an archive of the images here: http://www.fiddlertool.com/certs.png

• Anonymous
  January 01, 2003
  Will IE 7 provide any specific support for podcasts, vodcasts, or torrents?

• Anonymous
  January 01, 2003
  It's great to see you folks working with other browser vendors. I expect that'll benefit everybody.
  
  I'm also really happy that you'll always be showing the address bar. I've long found the ability of websites to disable browser functionality to be an incredibly annoying usability problem - especially when the browser doesn't let you (eg) right click on the title bar for options to re-enable the nav bar, address bar, and so on. There are legitimate reasons to hide these UI elements by default, but I see no reason the user should not be able to bring them back.
  
  If the user could right-click in the address toolbar to get a menu giving them the ability to re-enable the other toolbars, that'd be very nice indeed.

• Anonymous
  January 01, 2003
  <<Will IE 7 provide any specific support for podcasts, vodcasts, or torrents?>>
  
  IE hasn't announced any plans to natively operate on torrents, although, of course, existing torrent plugins for IE should continue to work.
  
  As for *-casting features, you might take a look at our RSS team's blog: http://blogs.msdn.com/rssteam/default.aspx

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  I'm glad MS is being bold and working from a clean slate when thinking about the colors, rather than being limited by what is already out there. And kudos for working with the other browsers. But the confusion over yellow will be real, and I would propose addressing it by building consensus around red/yellow/green, and then phasing in the rollout as follows:
  
  If Firefox, Opera, and Konqueror can get green in in the near term (say, for Firefox, in 1.5 or 1.5.1), then IE7 can be released with the new color scheme.
  
  But let's say that it will take longer for adoption by the other browsers, or we want to have a delay to "cleanse the palate" of the users, give them time to upgrade, and let them forget that yellow used to be good. IE7 could be released with red and green, but leave the suspicious sites white for the time being. Then, when the time was ripe, a minuscule Windows Update could activate the dormant yellow in IE7.
  
  Re yellow - it was chosen to match the lock icon, but red/yellow/green is a powerful meme.
  
  Re rotating the CA - this is good; users initially won't know Contoso from Callahan's, but they will become accustomed to seeing a particular name alternating with the name of their bank. But it must be noticeable but not demanding! (of the user's attention)
  
  I want to second what Craig said: give the user a way to get the chrome back (and restore resizability and scrolling) in ANY popup.
  
  Eric: I think the typo Brett was referring to may have been "bellow" for "below" in the screenshots. I initially also thought that came from IE, asking the user to enter info on the suspected phishing site, but I guess not.
  
  Dave
  (Posted with Firefox 1.5RC3)

• Anonymous
  January 01, 2003
  <<Eric: I think the typo Brett was referring to may have been "bellow" for "below" in the screenshots. >>
  
  Yes; this spelling error is in the original text of the <TITLE> tag from a phishing page that we harvested and archived for demonstrations of the phishing filter. Phishing sites very often have subtle (or major) typographical or spelling errors.

• Anonymous
  January 01, 2003
  Using the traffic light colors provides an additional bonus, it solves the colorblindness issue. The issue of colorblindness is a real problem. Software developers, especially for something as widely used as IE, should always be mindful of those with disabilities. The traffic light scenario solves this issue in a way that people will already be familiar with. In addition to the colors of a traffic light being standardized, so are the order of the lights (red at top, yellow in the middle, green at the bottom). Hence, if a motorist sees all red, yellow, and green as the same color, it is not an issue since he/she knows if the top bulb is lit it's red, and so forth.
  
  This same idea could be implemented in IE. Rather than the icons of red X, yellow !, and a lock (the lock is also confusing since it doesn't keep with the other Windows security icons of using a green shield with a check), a small traffic light icon could be used. The icon would have the respective light lit up for the appropriate color. Hence, if someone is color blind, he/she need only look at the icon and it will be clear which color is shown.
  
  Rather than inventing some new system to solve an old problem, I think it's best to use the solutions that have already been tested for many years.

• Anonymous
  January 01, 2003
  > In addition to the colors of a traffic light being standardized, so are the order of the lights (red at top, yellow in the middle, green at the bottom)
  
  Well, except in Chicago, where red is on the left, yellow in the middle, and green on the right.

• Anonymous
  January 01, 2003
  I could only parse about half the comments, but I reiterate:
  
  1. Only two colors/states/warning levels. Simplify people! Jeesh.
  
  2. Yellow is already the standard because Firefox did it first. Sorry people. Release more often and you wouldn't have to redo stuff. I have similar problems because I can't release as quick as other ppl.
  
  3. No need to always show the cert info in the address bar.
  
  4. People who want to continue to f' with the address bar etc. and/or "configure" their users' experience. Go away. Please. Pop-ups should have never been allowed in the first place, yet alone getting rid of the address bar. I read some of these comments and cringed because I knew these were the ppl responsible for some of the cringe-inducing experiences I've had on the web.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  firefox 1.5 is officially out. yay ya.

• Anonymous
  January 01, 2003
  @someguy
  
  Jeez, you have no idea... Firefox is the FIRST browser in nearly 13 years that has been able to withstand Microsoft's power of Internet Explorer... It must have been doing something RIGHT in order to dislodge Microsoft's near monopoly... Normal users, or ones who care for ease of use, want to know if they are in a bad site because they do not want their private data compromised... And for Firefox's GUI, which is designed for people who want simplicity, is near-perfect for its purpose... Developers may not care about colors, but everyone else will. I know that Mozilla will adopt the Red/Yellow/Green system (they may change Yellow to some other color that is more distinguishable) simply because people will begin to clamor for it, and the software is ruled by people, not a mess of a company ruled by one person. That means that all ideas are considered and usually implemented, not just those of a small group or one person's interests... NEVER DISREGARD POWER OF THE PEOPLE!!! The reason IE is changing is BECAUSE OF FIREFOX!!! You are very ignorant... Sure, Firefox has quirks, but IE has (hopefully no longer) dangerous problems.... AND THAT IS ABOUT IT!!
  
  BTW Yahoooooo! Firefox 1.5 is finally out! (Goes and runs yum and FF update)

• Anonymous
  January 01, 2003
  Daniel:
  
  "2. Yellow is already the standard because Firefox did it first."
  
  Firefox went against the standard when they decided to move the padlock from the toolbar to the address bar. How is that any different from what you're complaining about now?

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  FF was relatively small compared to mozilla and it worked on several platforms, while IE was locked to Windows (except older versions of IE which exists on Mac).
  If you want simple, then it will always be links and lynx for me. You can't get more simple then just text.
  
  I like the colors, will be annoying at first like the yellow in FF. We will adapt.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  As continuing my previous post regarding to using less colors, it is wrong direction if IE uses multiple colors to distinguish message type as suggested in this blog.
  
  Let me give the evidence, to see how many people will be affected by the colors.
  Roughly 1 out of 200 women and 1 out of 12 men (particularly over the age 40) simply can’t detect some color distinctions because of the color-blindness. This is from Steve Krug’s book Don’t Make Me Think ,page 83, a very good book for Web design (although our web site hasn’t come up with this great guide, it will be updated soon).
  
  

• Anonymous
  January 01, 2003
  This is a classic thread.
  
  "I think the bikeshed should be green!"
  "No! It must be cyan!"
  "No way! My bikeshed is orange, so ALL other bikesheds MUST be orange!!"
  "Bikesheds shouldnt be painted! The bike owner will get confused!!!"
  
  etc etc etc.
  
  Anyway - regardless of the 'useful' comments, keep up the good work, IE team. :)
  
  

• Anonymous
  January 01, 2003
  To my eyes, the green "everything is ok" address bar is a rather difficult to read. There is poor contrast between black text and a green background. The attempt to improve this by adding a white glow around the letters makes them look fuzzy to me. It looks particularly bad compared to the other two styles where the letters stand out much better.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  I dont understand what the big complaint about the yellow is all about. Have some of you forgotten that Red-yellow-green system is ALREADY used within Windows XPSP2. The Security Center uses green for on/up to date....yellow for not sure/not monitored and red for off/critcal issue. I dont see any complaints about that. This is a similar type extension and is logical concept.
  
  I think either most people wont care about the color, or Firefox can change the default to green. In fact the theme I am using in Firefox now, makes it already green. In essence yellow isnt even a "standard" in Firefox. It's the default that changeable with themes. Sounds more like people wanting to complain.
  
  Cheers.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  To EricLaw [MSFT] : Well, it's just that we need to upload our RTSP file onto the server and run it using IE. But we aren't able to do it..

• Anonymous
  January 01, 2003
  and still waiting for another version of IE...
  
  ...
  
  ......
  
  keep up Microsoft!

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Mike_J -- regarding colorblindness, it's only bad if color's the only thing used to differentiate. In the screenshots, it shows icons and text which are also displayed within the address bar to differentiate.

• Anonymous
  January 01, 2003
  Is there some way to downgrade back to Internet Explorer 6? There doesn't seem to be much assistance anywhere on the Microsoft site nor on the internet on how to do this. The current release of IE7 Beta doesn't work with the visio viewer.

• Anonymous
  January 01, 2003
  Dangarion,
  
  Go to add/remove programs then select the checkbox at the top of the add/remove programs window which says "Show Updates". Then scroll down to Windows Software Updates and look for IE7.
  
  When you remove IE7, IE6 will take its place automatically.

• Anonymous
  January 01, 2003
  As a corporate security architect I would like to pose another problem for the browser community to address. We have deployed one of the many enterprise web single sign-on solutions available in the marketplace. Our product, as well as most of its competitor products, use encrypted cookies to maintain user state (primarily authentication). The cookies are encrypted, and have limited lifetime, and can be attached to a sender IP address.
  
  Problem with this model is IP addresses are now proxied in many situations and have no real connection back to the end client. To make these solutions work in large international environments means we must trust that the encrypted cookie is actually coming from the client browser to which it was originally issued. An intercepted cookie can be replayed to impersonate the original user for the remaining lifetime of the cookie.
  
  It would seem the only way to secure these cookies is to have some smarts on the client side so cryptography can be used to ensure the cookie can only be used by the client browser to which it was originally issued.
  
  Yes, we can do that with browser plug-ins, but in our environment we interact with many clients outside of our control. What are the chances this group of browser developers (meaning the group that met in Canada a while back) could address this issue. I think in a nutshell we are talking about industry standard, product agnostic secure session management.

• Anonymous
  January 01, 2003
  <<It would seem the only way to secure these cookies is to have some smarts on the client side so cryptography can be used to ensure the cookie can only be used by the client browser to which it was originally issued.>>
  
  You can't solve this problem without providing message-integrity.
  
  SSL with Client Certificates is the right architecture for this scenario. SSL+Kerberos would be effective as well.
  
  (Why would a bad guy bother replaying the encrypted cookie if he can just rewrite the client and server HTTP traffic?)
  
  For what it's worth, you can slightly reduce the risk of the non-SSL architecture by using the HTTPOnly attribute on cookies; this reduces the risk of cross-site scripting attacks.

• Anonymous
  January 01, 2003
  this ideas sound very interesting! :->

• Anonymous
  January 01, 2003
  <<It would seem the only way to secure these cookies is to have some smarts on the client side so cryptography can be used to ensure the cookie can only be used by the client browser to which it was originally issued.>>
  
  <You can't solve this problem without providing message-integrity.>
  
  Not sure I understand/agree. We are talking about an authentication token as represented by an encrypted cookie. This token allows me access to web resources that may or may not be sensitive. I am not typically talking about a transaction that requires integrity, although frequently confidentiality.
  
  
  <SSL with Client Certificates is the right architecture for this scenario. SSL+Kerberos would be effective as well.>
  
  SSL tends to be expensive (CPU) and is not suitable to all our web sites. Client certificates are not scalable or manageable when you must support user communities that include suppliers, customers, retirees. SSL+Kerberos, in my understanding, is not a platform independent, HTTP protocol friendly option for a diverse, multi-company user community.
  
  <(Why would a bad guy bother replaying the encrypted cookie if he can just rewrite the client and server HTTP traffic?)>
  
  We are talking about an authentication token. The bad guy assumes the identity of the user identified inside of the cookie. The bad guy cannot alter the cookie, or create his own, but for the lifetime of the hijacked cookie he/she can access any information or act as the legitimate user at any site that is a part of the SSO environment.
  
  This is a known security problem. I have socialized this with many in industry (including MSFT). General agreement is the problem could only be solved by a new generation of browser (to quote one of my MSFT contacts). I thought that is what this might be all about, so I bring this up.
  
  For what it's worth, you can slightly reduce the risk of the non-SSL architecture by using the HTTPOnly attribute on cookies; this reduces the risk of cross-site scripting attacks.

• Anonymous
  January 01, 2003
  <<I am not typically talking about a transaction that requires integrity, although frequently confidentiality.>>
  
  Without SSL, how are you providing confidentiality? The bad guy in the middle can read whatever the client reads. Worse still, he can simply change a client's GET request from http://server/somethinginnocuous.htm to http://server/showmemysecrets.htm, and boom, it's all over.
  
  I don't dispute that the replayability of authorization cookies is a known security problem, but I do not think you can solve the problem without first guaranteeing message integrity and confidentiality. SSL provides both of these, as you noted, with a tradeoff of CPU time.
  
  -Eric

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Codemastr, I have no problem with a few colours being used in the address bar, I was merely responding to Johnj's post because I wasn't sure if he was joking or serious.
  
  btw, you need to update that theory, it should be "We have banned...".

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  > ... some means by which a browser could "prove" it is the one
  
  SSL with client certificates should fit the bill. If it's a low-risk concern, cookies should be fine too.

• Anonymous
  January 01, 2003
  
  as David Letterman put it,
  'did you know the homeland security level is now 'peanut' in NY',
  
  seriously, sounds like someone just looked up from digging too deep in a GUI book,
  
  truth is, in RL ideas might not apply as cleanly as they looked on paper, this seems to me as one of those,
  
  in the dev teams quest for details to improve security in IE they've come up with a scheme which involves 'weighing' the goodness of an URL/ipnumber, and then color-coding it!
  
  I mean it sounds silly already,
  who will 'judge' these ipnumbers,
  where can I complain if my ip was judged 'bad',
  who will manage the database that stores this information, (so in the future all my surfing will go through a 'validating' microsoft server ?)
  
  wasn't the consensus on IDN's that they should be fullworthy domains (ie not worth less/less functional than 'ordinary' domains)
  
  IE team, for once don't go off the trail making own solutions/standards that noone will adhere/follow/respect.
  
  thanks,
  
  /B [refraining from making any 'polka'color jokes]

• Anonymous
  January 01, 2003
  Is there any way to get the DoD root certificates added to the default roots list?
  
  IMarv

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  MS does it again. I'm an access enthusiast and the first thing I noted about the phishing feature is it's inaccessability. Go here http://www.vischeck.com/vischeck/vischeckURL.php and use the URL of this page to see what I mean.

• Anonymous
  January 01, 2003
  Copperman,
  
  I'm looking at your site and I fail to see how the feature is not accessible. Regardless of whether you can see colors or not (and I am mildly color blind), you still have access to the feature. The colors are just an additional marker but not essential to it.
  
  - Al Billings [MSFT]

• Anonymous
  January 01, 2003
  Good idea to get together and look for standards, so the web gets easier to ceate and use.
  
  However, your blog entry can't be viewed with Firefox. The images are empty (non existent, not even broken as images).
  
  What 'technology' breaks this?
  
  K<o>
  

• Anonymous
  January 01, 2003
  <<and will deter developers from pop-up windows>>
  
  You say that as if it's a bad thing.
  
  Even for sites where the new window is somethign I want to see, I HATE pop up windows. I'd much rather have a new tab opened up instead.

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Glad to see the major browser vendors working together towards standards. Here's hoping this becomes routine.

• Anonymous
  January 01, 2003
  IMHO the one for suspicious sites (yellow) is a terrible idea. In Firefox, this color is used to indicate sites which use an encrypted connection (HTTPS). MSIE, being the one which follows up, should adapt to the colors firefox has chosen, as to make everything as easy and standard for the end user.

• Anonymous
  February 14, 2006
  One of the biggest challenges in making software more secure is maintaining compatibility with the existing...

• Anonymous
  February 15, 2006
  PingBack from http://vagus.wordpress.com/2006/02/16/channel-9/

• Anonymous
  February 23, 2006
  PingBack from http://nocchiogrosso.wordpress.com/2006/02/24/the-internet-identity/

• Anonymous
  March 15, 2006
  As we’ve described
  previously, we’ve made some major architectural improvements to improve browsing...

• Anonymous
  March 20, 2006
  I’m really excited for my talk tomorrow here at Mix06. This conference feels more like a party than work....

• Anonymous
  March 23, 2006
  PingBack from http://www.quickonlinetips.com/archives/2005/12/feed-icons-identify-syndicated-content-rss-feeds/

• Anonymous
  March 27, 2006
  The comment has been removed

• Anonymous
  March 30, 2006
  PingBack from http://cgi.250media.com/wordpress/?p=3

• Anonymous
  March 31, 2006
  PingBack from http://certifiedbug.com/blog/?p=45

• Anonymous
  June 20, 2006
  PingBack from http://burkinafasafiso.com/2005/12/16/firefox-neden-30i-gelistirmeye-basladi/

• Anonymous
  July 09, 2006
  PingBack from http://heis-phishing.com/phish_blog/?p=4

• Anonymous
  October 20, 2006
  The comment has been removed

• Anonymous
  October 23, 2006
  PingBack from http://blog.yuvisense.net/code/firefox-and-ie-7-rss/

• Anonymous
  October 25, 2006
  The comment has been removed

• Anonymous
  October 26, 2006
  PingBack from http://www.temme.net/sander/2006/10/27/new-ssl-certificates-now-with-green-which-is-more-safer/

• Anonymous
  October 27, 2006
  PingBack from http://www.infosecpodcast.com/industry-news/2006/10/microsoft-verisign-ssl-scam/

• Anonymous
  November 07, 2006
  Hi, I’m Kelvin Yiu, a program manager with the Windows Crypto team, and I’m very excited to be posting

• Anonymous
  November 07, 2006
  Hi, I’m Kelvin Yiu, a program manager with the Windows Crypto team, and I’m very excited to be posting today on the IE blog, announcing plans to make Extended Validation (EV) SSL Certificates available in January 2007. For over a year, we’ve been working

• Anonymous
  November 08, 2006
  PingBack from http://www.infosecblog.net/?p=132

• Anonymous
  November 12, 2006
  PingBack from http://robert.accettura.com/archives/2005/12/15/confusing-cross-browser-ui-design/

• Anonymous
  February 01, 2007
  The comment has been removed

• Anonymous
  February 04, 2007
  PingBack from http://www.computerdefense.org/?p=242

• Anonymous
  March 13, 2007
  PingBack from http://blog.johnath.com/index.php/2007/03/13/revisiting-security-ui-part-1-of-2/

• Anonymous
  July 18, 2007
  PingBack from http://blogsseek.com/trans-union/2007/07/18/nukezone-hosting-frequently-ask-questions/

• Anonymous
  September 10, 2007
  how to make a small business feasibility study

• Anonymous
  October 07, 2007
  PingBack from http://lahsiv.net/blog/?p=18

• Anonymous
  October 14, 2007
  We're notably delighted that you've found our webpage dealing with get more traffic.

• Anonymous
  January 15, 2008
  PingBack from http://mm8.za.net/?p=866

• Anonymous
  January 28, 2008
  The comment has been removed

• Anonymous
  February 18, 2008
  PingBack from http://www.zimbra.com/forums/administrators/15576-certificates-newbies.html#post78796

• Anonymous
  June 04, 2008
  PingBack from http://annabel.netinfodigest.info/lllocation.html

• Anonymous
  June 05, 2008
  PingBack from http://www.zimbra.com/forums/administrators/18865-zimbra-webmail-asking-about-security-certificate.html#post94796

• Anonymous
  June 11, 2008
  PingBack from http://jasper.bestsitesubmit.com/ie7addressbar.html

• Anonymous
  June 11, 2008
  PingBack from http://rosa.bestsitesubmit.com/internetexplorer6visibletowebsites.html

• Anonymous
  July 11, 2008
  PingBack from http://brandy.onlineshoppingvidsworld.info/enteravalidpostedblogentrysites.html

• Anonymous
  November 23, 2008
  PingBack from http://www.baby-parenting.com/baby/babyname/Lennor

• Anonymous
  March 04, 2009
  PingBack from http://marvinlee.net/blog/2009/03/green-indicator-url-bar-extended-validation-ssl-certificates/

• Anonymous
  May 26, 2009
  PingBack from http://masochismtango.com/2009/01/23/masabists-how-do-transcoders-affect-https/

• Anonymous
  May 29, 2009
  PingBack from http://paidsurveyshub.info/story.php?title=ieblog-better-website-identification-and-extended-validation

• Anonymous
  May 31, 2009
  PingBack from http://outdoorceilingfansite.info/story.php?id=1639

• Anonymous
  May 31, 2009
  PingBack from http://outdoorceilingfansite.info/story.php?id=19275

• Anonymous
  June 01, 2009
  PingBack from http://uniformstores.info/story.php?id=15403

• Anonymous
  June 07, 2009
  PingBack from http://greenteafatburner.info/story.php?id=2575

• Anonymous
  June 07, 2009
  PingBack from http://besteyecreamsite.info/story.php?id=1108

• Anonymous
  June 08, 2009
  PingBack from http://insomniacuresite.info/story.php?id=5100

• Anonymous
  June 08, 2009
  PingBack from http://cellulitecreamsite.info/story.php?id=729

• Anonymous
  June 09, 2009
  PingBack from http://toenailfungusite.info/story.php?id=9729

• Anonymous
  June 13, 2009
  PingBack from http://barstoolsite.info/story.php?id=23

• Anonymous
  June 13, 2009
  PingBack from http://thestoragebench.info/story.php?id=6152

• Anonymous
  June 15, 2009
  PingBack from http://einternetmarketingtools.info/story.php?id=7628

• Anonymous
  June 15, 2009
  PingBack from http://unemploymentofficeresource.info/story.php?id=7258