Microsoft's IEBlog is published by the development team that works on Internet Explorer (IE). As such, the blog contains interesting information about what we might see in future versions of the browser.
On October 22, the IE development team published an article that outlines a few changes Microsoft is making with Secure Sockets Layer (SSL) and Transport Layer Security (TLS). Current versions of IE support SSL 2.0, SSL 3.0, and TLS 1.0, all of which can be enabled or disabled (select Internet Options from the Tools menu, go to the Advanced tab, and scroll down to the Security section). In IE 6.0, SSL 2.0 and SSL 3.0 are enabled and TLS 1.0 is disabled--at least that's the configuration in my default installations. However, SSL 3.0 and TLS 1.0 are much more secure than SSL 2.0; therefore, Microsoft has decided that in IE 7.0, SSL 2.0 will be disabled by default and SSL 3.0 and TLS 1.0 will be enabled by default. Many Web sites use SSL 2.0, so the changes in IE might cause connection problems for users unless sites begin offering SSL 3.0 before IE 7.0 enters widespread use.
Another major change is the way certificates will be handled. IE 7.0 will initially block access to sites whose certificates weren't issued by a trusted root or whose certificates have expired or been revoked. Under the first two conditions, the browser will offer the user the option of connecting anyway but not if the certificate has been revoked. In addition, the browser won't show nonsecure content on sites whose pages use both secure and nonsecure content unless the user explicitly unblocks the nonsecure content.
Windows Vista will also bring changes to secure communications. With Vista, we'll finally see the use of 256-bit Advanced Encryption Standard (AES) to secure HTTP traffic. Vista will also use the Online Certificate Status Protocol (OSCP) for speedier certificate status checking and will implement some extensions to TLS that are outlined in Internet Engineering Task Force (IETF) Request for Comments (RFC) 3546.
Web site administrators need to be aware of these upcoming features in IE and Vista and take the necessary steps towards compatibility. Otherwise you're bound to run into problems in the future, particularly with certificates used on systems that host virtual domains, due to server name parsing and other issues.
You can learn more about these issues in IEBlog. You can also read a long list of comments and concerns from the blog's readers and post your own comments. If you want to learn more about the cryptography in Windows Vista, a video of an interview with Tomas Palmer and Tolga Acar (cryptography program managers at Microsoft) is available at MSDN.
If you're interested in information about Outlook Express (which incidentally has been renamed Windows Mail) in Windows Vista, be sure to read Windows Mail developer Bryan Starbuck's blog for plenty of insight regarding antispam features and more. You can also watch another video interview at MSDN with the developers and testers of Windows Mail in which they discuss the new mail client.