As Internet Explorer tries to get serious on security, you have to find out how to make sure you don't look like one of the bad guys. When it comes to security, things are rarely black and white: my handy IM Web client is your potential security hole. The issue is, who is in control: you as the site developer; or the user who owns the PC Internet Explorer is running on.
You want to get a site that looks and works the way you want; the user wants a browser that blocks phishing attacks and doesn't let sites reset the home page. IE Program Manager Rob Franco jokes about it: "My goal with IE 7 is to protect the system against the most destructive force in the universe; my brother, who believes that everything on the internet should be free and will click on anything to get it."
But protecting the naïve user from the malicious attacker can mean the blameless developer loses a feature they were relying on. Vista Beta 2 secures what's just been renamed Internet Explorer 7+ by running it in a new protected mode, which restricts the changes IE can make to the registry and the files it can update; but other security-related changes apply to IE 7 for Windows XP as well.
Take the phishing filter built into IE 7 to spot fake sites; this has already been triggered over 170,000 times during the beta, which is good news - if they're really fake banking sites or some such. But what do you do to make sure your site doesn't trip it accidentally?
To avoid making it too easy for the phishing sites, Microsoft hasn’t produced a full list of the heuristics the filter uses and as well as blocking URLs collected by security companies like Cyota and Internet Identity, it's a learning system, so the list of sites blocked will change as phishing sites evolve. If you're collecting personal information about users, secure your site with SSL and don't link to a site by the IP address rather than the URL.
Continue at Source...
News Source:
Channel Register