IE11 Makes Over 40% Web More Secure While Sites Still Work

[Brink]

Internet Explorer 11 is the first browser to make Internet connections more secure and reliable by reducing the use of vulnerable ciphersuites, such as RC4 and by using the latest security standards, TLS 1.2, by default. With these changes in IE11, you can have peace of mind when accessing your critical personal information on social media, banking, commerce, and other sites. These advances build on our continued work to make IE the most secure browser in key areas such as socially engineered attacks.

IE11 Reduces Use of Vulnerable RC4 Cipher Suite

IE11 takes a big step toward better security by reducing the use of the vulnerable RC4 cipher suite. RC4 is a stream cipher that is widely supported—and often preferred—by TLS servers. However, recent studies such as those by AlFardan suggest exploits in the RC4 key stream that can be used to recover some encrypted data. RC4 has other weaknesses as well, as discovered by Paul, Mantin, and Fluhrer. Based on these studies, the industry consensus is that RC4 has a variety of cryptographic weaknesses, and RC4 exploits are now practical.We have proposed changes to the TLS standard, so that other browsers and industry players can follow our lead in securing the Web.

The changes in IE11 increase security while still ensuring compatibility with the Web, in spite of the current widespread use of the RC4 cipher suite. IE11 does not offer RC4-based cipher suites during the initial TLS/SSL handshake. In this way, most connections successfully use non-RC4 cipher suites. We studied 5 million Internet sites and found that over 96% of sites can negotiate ciphers other than RC4. Notably, nearly 39% of these sites support non-RC4 even though they prefer RC4 – and for these, sites, IE11 substantially increases the security of the Web.

A study of 5 million Internet sites shows that IE11 automatically increases security for 39% of sites without affecting compatibility​

For the rare cases where the browser cannot negotiate a non-RC4 cipher suite with the server, IE11 falls back to negotiating TLS 1.0 or SSL 3.0 with RC4 to ensure that you can still reach the sites you need. Microsoft is actively working with many of these sites to enable support for non-RC4 cipher suites.


Turning on TLS 1.2 by Default

IE11 further increases Web security by enabling TLS version 1.2 by default, building on IE’s leadership as the first browser to implement TLS 1.2 as an optional setting in IE8. You can access sites such as Outlook.com, Facebook, etc. using industry-leading security standards thereby keeping your personal information safe. TLS 1.2 increases security by supporting more advanced cryptographic suites. Most of the practical exploits that target TLS 1.0 and TLS 1.1 ciphers do not work on TLS 1.2 ciphers. For example, TLS 1.2 is not subject to the BEAST attack.

In IE11, you can take the advantage of added security in TLS 1.2 while getting the same performance provided with RC4 ciphers. TLS 1.2 provides new cipher suites that provide strong security and high performance. For example, the AES-GCM cipher suite is supported only on TLS 1.2 and performs just as well as RC4 ciphers. By enabling TLS 1.2 with AES-GCM, sites can provide strong security without introducing additional server load.

Tuning on TLS 1.2 out of the box in IE11 automatically increases the security level with nearly 16% of Web servers and this number should increase as additional servers and browsers begin to support and prefer TLS 1.2. Windows Server has supported TLS 1.2 since Windows Server 2008 R2 and we encourage servers to enable TLS 1.2 in IIS, which is a simple configuration change. Servers such as Apache also support TLS 1.2, and as the industry moves forward, other Web servers will support TLS 1.2 in the future as well. The change does not affect compatibility with existing servers, which down-negotiate TLS to the highest mutually-supported version. By default, IE11 supports TLS 1.2, TLS 1.1, TLS 1.0 and SSL 3.0.


Conclusion

IE11 makes 39% of Web sites more secure by discouraging the use of vulnerable RC4 based cipher suites and increases security on 16% of Web sites by negotiating TLS 1.2, the most secure version of TLS.
Try out IE11 to experience more secure browsing that uses the latest industry standards. We look forward to hearing your feedback via Connect, to help us move the industry forward and continue to enhance the browser.

Hasnat Naveed and Ritika Kapadia
Program Managers in Windows and Internet Explorer

More...

 

[stsaerox]

Really?

 

[ThrashZone]

Nice article Brink and long quote
I can't say I disagree with any of it,
I don't know if Microsoft 's Compatibility view lists have Improved though
I have noticed they removed the Comp-view listing in tools but added Comp-view settings to the gear symbols list which was long overdue

 

[PaulGo]

Internet Explorer 11 at it again, breaks Microsoft's own CRM software

Customers advised to use old version ... or another browser

...More importantly, however, it's a bummer for Microsoft's Internet Explorer team, which has been touting IE11 as its best-performing and most standards-compliant browser to date. By comparison, the Dynamics CRM browser compatibility document lists the supported versions of Firefox, Chrome, and Safari simply as "Latest Version", without restrictions.
Microsoft has yet to say when and if it plans to release a patch for either IE11 or Dynamics CRM that will improve compatibility between the two products.

Internet Explorer 11 at it again, breaks Microsoft's own CRM software ? The Register

 

[andrew129260]

I find that 11 crashes as much as 10 did.

 

[zapp22]

is this what corrupted my unused Administrator [root] profile? again, and again, and again?

 

[Computer0304]

Well I actually crashed once lately compared to 0 crashes in ie10. (Well so I can remember)

 

[ThrashZone]

ie11 never crashed on my end,
Mouse function was very annoying though so that was my reason for rolling back.
ie11 just needs one or two version fixes and it will be better.

 

[Layback Bear]

I.E. is like any other browser. They all need little updates to get them to work a little better and more secure.
It's a never ending thing.

 

[andrew129260]

True, but other browsers are actually usable. My and a couple of others pcs keep crashing in ie11, and 10. Even without any plugins what so ever, or trying ie safe no addons mode.
Its a shame, I was starting to like ie 10 and 11, and then they just started crashing on certain websites and such. I have been having good luck with firefox. So I am sticking with them for now. But the latest tests show that Internet explorer is actually better at blocking drive by downloads and malware compared to even chrome and firefox. It makes me interested in using it as my default browser. Problem is, Its just not stable enough.

 

[Slartybart]

Decided to test the Security settings in IE 10 IE 9 and found that 80% of web sites I regularly visit work fine when I set (advanced tab IE options) security to TLS 1.2. I don't think IE 10 IE 9 'automatically' tries TLS 1.0 if a site rejects TLS 1.2, this alone makes IE 11 worth further consideration.

Anyway, I tried TLS 1.1 on the sites that 'failed' (IE cannot open window) and had to include TLS 1.0 to get the remainder to work. I do not have any SSL security tabs ticked in IE - so far it doesn't seem to cause any issues.

Bill

 

[ThrashZone]

It makes me interested in using it as my default browser. Problem is, Its just not stable enough.

A possibility is Avast is conflicting too much for this to be a viable option,
Conflicting security features is always a issue it seems,
Cheers.

 

[andrew129260]

It makes me interested in using it as my default browser. Problem is, Its just not stable enough.

A possibility is Avast is conflicting too much for this to be a viable option,
Conflicting security features is always a issue it seems,
Cheers.

I had a feeling you were going to say that. Thing is, I have problems with it even without avast, in VM's. Sometimes, its not the security suite, sometimes its just internet explorer.

I'm currently using panda cloud antivirus free.

 

[ThrashZone]

In ie11's case I would agree but as it's been said early versions are always a bit buggy and if Microsoft feels it's not getting enough input or feedback about a optional release they seem to make it a Important update so more people freak out
But it's all good sooner or later but I do have reservations about ie11 which I do not have anymore,
It does need more patches,
Cheers.

 

[crankypenguin]

I found this interesting in the article mentioned, I quote *Another thing to highlight is that OpenSSL implemented a feature where they send an “empty TLS record” immediately before they send a message. This empty TLS record causes a change in the CBC state where people consider it to give the message “a new IV” that the attacker can’t predict. This feature in OpenSSL is disabled with the “SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS” option and it’s also included in the “SSL_OP_ALL” option. In OpenSSL versions 0.9.6d and later, the protocol-level mitigation is enabled by default, thus making it not vulnerable to the BEAST attack.* . So basically they are sending an empty record before the actual payload..hmm interesting stuff. Are other browsers going to follow suite? A pic of tls settings from firefox 26 (beta ) 0 means SSL 3.0, 1 means TLS 1.0, 2 means TLS 1.1 etc. Browsers need to up the ante. I set my max to 3.

 

[RoasterMen]

True, but other browsers are actually usable. My and a couple of others pcs keep crashing in ie11, and 10. Even without any plugins what so ever, or trying ie safe no addons mode.
Its a shame, I was starting to like ie 10 and 11, and then they just started crashing on certain websites and such. I have been having good luck with firefox. So I am sticking with them for now. But the latest tests show that Internet explorer is actually better at blocking drive by downloads and malware compared to even chrome and firefox. It makes me interested in using it as my default browser. Problem is, Its just not stable enough.

FireFox is much better compared to other browsers, the problem is it eats too much RAM.

 

[andrew129260]

True, but other browsers are actually usable. My and a couple of others pcs keep crashing in ie11, and 10. Even without any plugins what so ever, or trying ie safe no addons mode.
Its a shame, I was starting to like ie 10 and 11, and then they just started crashing on certain websites and such. I have been having good luck with firefox. So I am sticking with them for now. But the latest tests show that Internet explorer is actually better at blocking drive by downloads and malware compared to even chrome and firefox. It makes me interested in using it as my default browser. Problem is, Its just not stable enough.

FireFox is much better compared to other browsers, the problem is it eats too much RAM.

Agreed But when you have 16GB ram like me, ram doesn't matter
(They have been lightning the load with every release I noticed.)

Edit: Just noticed that I had some windows updates and have done them. So far using internet explorer 11 is going without a crash. But this happened before and it was running fine for 2 hours and then crashed loading one blank tab.... We shall see how this goes.

I will say this, Internet explorer hardware rendering is a LOT better then Firefox. I noticed that pages load a lot faster on Internet explorer vs firefox. Then again, its not all that fair since I have about 8 addons in Firefox. (But still even without addons IE is faster) Rendering pages is defiantly noticeably faster. And its really odd but awesome to me that apparently internet explorer is more secure with blocking drive bys and scanning downloads then firefox or even chrome. Odd, but awesome...

If Internet explorer 11 starts working right......I might (dear god....I might say it....) .....like it. Woah, that was hard.

 

[cluberti]

If security is important to you, please, do not use Firefox. It lacks process sandboxing, multi-process containers, or the ability to use integrity levels on Vista+ OSes. Basically, it runs in the context of the user, with no additional security that the OS would provide specifically for browsers (something Chrome and IE both use quite heavily). I'm not saying Firefox is *insecure*, I'm saying compared to IE or Chrome, it is far less secure because it uses no additional OS hardening that has been available since 2006 on Vista RTM.

It's telling that implementing any kind of sandboxing is a P3 bug that's been open since 2005 with basically zero movement.

 

[andrew129260]

If security is important to you, please, do not use Firefox. It lacks process sandboxing, multi-process containers, or the ability to use integrity levels on Vista+ OSes. Basically, it runs in the context of the user, with no additional security that the OS would provide specifically for browsers (something Chrome and IE both use quite heavily). I'm not saying Firefox is *insecure*, I'm saying compared to IE or Chrome, it is far less secure because it uses no additional OS hardening that has been available since 2006 on Vista RTM.

It's telling that implementing any kind of sandboxing is a P3 bug that's been open since 2005 with basically zero movement.

Thanks for the information More on this topic below:

Multiprocess Firefox | Bill McCloskey's Blog

https://wiki.mozilla.org/Security/Features/Sandboxing_of_content_processes

 

[indianacarnie]

Just installed 11 via update a few days ago. Hadn't used it at all till reading through this thread. Figured I'd give it a quick look see. It IS very fast at rendering pages, much to my surprise. A little "jerky" maybe but fast. Maybe after a few more of the bugs are ironed out I'll make more use of it. Using Maxthon more and more these days though.