Photographs courtesy of Toby Watt - lawyer, friend and photographer extraordinaire...
Changes have been made to Internet Explorer to make it easier for users to see that they are on a secure site, and (just as importantly) that the secure site is the one that they were expecting to visit.
Internet Explorer has always displayed a lock icon on the status bar when we visit a secure site , but the problem has been that, firstly, the icon was not very prominent and was easily missed and, also, it was not easy for an inexperienced user to tell if the certificate being used to trigger the lock matched the site that they were expecting to visit. Anybody can can set up a 'secure' web site by applying for the necessary certifications, and bad guys often try to masquerade as a well known secure site (known as phishing).
Internet Explorer 7 adds new visual cues and features that make it easy for a user to see whether they are on a secure site, and to check that the certificate matches the site they are visiting.
A new Security Status icon appears next to the Address Bar whenever we visit a secure site (note how Internet Explorer Beta 2 and later forces all windows to display a URL as another layer of protection against phishing sites).
If Internet Explorer detects a possible problem with a certificate (for example, if the certificate has been revoked), the address bar may have a red background (screenshot not currently available) and access to the Web site may be blocked by an intermediary page.
By clicking on the padlock next to the address bar when visiting a secure site, we can easily access the most important information about the certificate:
Compare the certificate information to the site you are visiting. If, for example, you were visiting www.google.com, but the certificate information referred to "Joe Bloggs Inc", you would immediately know there is a problem. By clicking on the View Certificates button, we can access even more information about the Site Certificate, but the information is technical and not very useful for the average user.
For information about other new protective features in Internet Explorer, make sure you review the information on this site about the new Phishing Filter.
SBS (Small Business Server) uses self-signed
certificates by default. This may cause an issue for your users if they are
running Internet Explorer 7 Beta 2 or later. As you can see from the screenshot,
direct navigation to the Outlook Web Access log-on URL is blocked by IE7 when
self signed certificates are used.
To help avoid confusion I'd recommend you alert your users to this change in behaviour sooner rather than later, so that they understand that there is nothing wrong with your site or their computer.
Here are the hoops your user will have to jump through to stop the warning page from appearing every time they go to your site.
First, they will see this page.
Your users need to click on Continue to this
website (not recommended)
They will be presented with the red Address Bar and certificate warning:
Click on the Certificate Error button to open the information window.
Click on View Certificates. Then click on Install Certificate.
You'll see yet another warning.
Click on yes, then you're done.
Internet Explorer introduces support for high-assurance certificates; certificates that are only issued under more rigorous qualifications requirements than standard certificates. When you encounter a High Trust certificate the Address Bar will turn green:
Please do not link to the green bar graphic - to do so is bandwidth theft.
If you wish to create your own graphic, please go to:
If you set IE's Internet or Restricted Zone settings to an option that is not recommended the following page will appear which replaces your home page.
The IE team have taken this step, which some see as nagging, because reality is users were lowering their security settings for whatever reason, and then forgetting to increase them again, or malware or third party programmes were lowering IE's security settings without the user's knowledge. Far too many ISP help desks, and other computer support providers, were advising users to reduce their security settings as a troubleshooting step, but not telling the user to put them back up again when finished.
To combat this forgetfulness and the sneaky behind-the-scenes tricks by the bad guys or antisocial software, the IE team decided it was best to continually warn users if their security settings had been lowered if the change allows arbitrary code to execute.
There is no way to disable this warning via Internet Explorer's user interface, although it is possible to disable it using Group Policy (gpedit.msc). Navigate to Local Computer Policy / Computer Configuration / Administrative Templates / Windows Components / Internet Explorer. Set “Turn off the Security Settings Check feature” to "Enabled".
The security settings that trigger the alert if lowered are marked with the words "not secure" and "recommended", for example: