News

IE 11 Includes Default Encryption Protection

• By Kurt Mackie
• 11/12/2013

Microsoft's Internet Explorer 11 browser supports the latest Transport Layer Security (TLS) standard by default.

Support for TLS 1.2 out of the box means that security is potentially boosted without much in the way of compatibility issues for IE 11 users, according to a Microsoft IE blog post on Tuesday. That's one of the conclusions from a Microsoft-conducted study of five million Internet sites, which looked at the use of RC4 stream ciphers. Security researchers have found problems with RC4, which is widely used for encryption across the Web and with e-mail programs. Other TLS encryption schemes, such as Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA), which are wireless protocols, use the same encryption method as RC4 and can be exploited through similar methods.

Dissatisfaction with the use of RC4 across the Web is being driven by the work of security researchers using purpose-built tools. It's not clear that exploits are being carried out broadly. However, the RC4 research is publicly available, and it's now an "industry consensus" that RC4 has cryptographic weaknesses, according to Microsoft. Consequently, Microsoft is pressing the Internet Engineering Task Force to abandon the use of RC4 altogether.

Exploiting the flaw is carried out by repeatedly sending the same cipher text to a server and analyzing the results. The pattern in the returned cipher texts isn't sufficiently random, allowing a way for the encryption pattern to be deduced. In some cases, malware might be used to generate the many server requests needed to break the encryption.

Microsoft is recommending the use of TLS 1.2 because it supports alternatives to RC4, such as the Advanced Encryption Standard-Galois/Counter Mode (AES-GCM) cipher suite. AES-GCM is recommended because it provides encryption and security without adding to the server load, according to Microsoft. The use of TLS 1.2 also helps ward off BEAST (Browser Exploit Against SSL/TLS) attacks. A BEAST attack uses malware in conjunction with TLS connections to grab and decrypt HTTPS cookies used in "secure" Web sessions.

Default support of TLS 1.2 in IE 11 won't lead to compatibility problems for end users, according to Microsoft. When IE 11 users visit sites requiring RC4, the browser will fall back to using the RC4 cipher suite. However, sites that require RC4 are in the minority. In its study of five million Internet sites, Microsoft found only 3.9 percent of those sites required RC4 ciphers.

TLS 1.2 is supported in Windows Server 2008 R2 and Windows 7, but not in Windows Server 2008 and earlier Windows versions, according to this Microsoft support page. Microsoft's blog recommends turning on TLS 1.2 in Windows Server 2008 R2 and later versions. Also, some Apache Web servers support TLS 1.2, according to Microsoft.

Microsoft first added the ability to turn on TLS 1.2 in its Internet Explorer 8 browser, but it's now turned on by default in IE 11. The Google Chrome browser also supports TLS 1.2 by default as of version 29, according to a Google description (Chrome is currently released at version 30). It's apparently still not clear when Mozilla Firefox will have TLS 1.2 support, according to this Mozilla support forum page.

Of course, if people and organizations are worried about encryption being broken in Web communications, the biggest hackers of all may be the U.S. National Security Agency (NSA) and the British Government Communications Headquarters. An NSA program code-named "Bullrun" is devoted to breaking encryption. Moreover, the NSA apparently worked with companies and organizations to make software exploitable, according to disclosures from NSA whistle-blower Edward Snowden.