Microsoft Is Confident In Security of Edge Browser 133
jones_supa writes: It's no secret that Internet Explorer has always been criticized for its poor security, so with the Edge web browser (previously known as Spartan), Microsoft is trying to tackle this problem more effectively and make sure that users consider it at least as good as Chrome and Firefox. In a blog post, Microsoft details the security enhancements available in Edge, pointing out that most of the changes it made to the new browser make it much more secure than Internet Explorer. There is more protection against trickery, app containers are used as the sandbox mechanism, and protection against memory corruption is better. Old, insecure plugin interfaces are not supported at all: VML, VBScript, Toolbars, BHOs, and ActiveX are all nuked from the orbit.
How hard will this break Corp Intranet apps? (Score:5, Insightful)
So all those corporate intranet apps that stupidly require IE - how hard will Edge break those?
Re:How hard will this break Corp Intranet apps? (Score:5, Insightful)
hard enough that IE11 will still be supported for a while in parallel.
Thats the whole point of Edge. So that Microsoft can have a real browser without leaving the big corps legacy shit behind.
Re: (Score:2, Informative)
Which is why you wont use edge, you will use the legacy support version that they are also shipping. They are essentially splitting IE into two browsers, one for locked down, legacy, corporate use, and one for normal users.
Re: How hard will this break Corp Intranet apps? (Score:4, Interesting)
Not true. Microsoft has thought this scenario true thoroughly. Corporations can configure Windows to only launch IE whitelisted domains or sites. This way organizations can default to Edge for general usage while whitelisting legacy apps or apps that have legacy headers.
Re: How hard will this break Corp Intranet apps? (Score:2, Interesting)
So, all I have to do in order to break these systems is to include the legacy compatibility headers? Then users who think they're using Edge will actually use IE 11? Fantastic.
Re: How hard will this break Corp Intranet apps? (Score:4, Informative)
Im pretty sure you cant control user-side GPOs or IE settings from a HTML header.
Re: How hard will this break Corp Intranet apps? (Score:3)
Very. It's why they're including internet explorer as a separate application. Edge isn't intended to run IE specific applications.
Re: (Score:2, Insightful)
Very. It's why they're including internet explorer as a separate application. Edge isn't intended to run IE specific applications.
I'd say it's pretty clear that the only real thing Microsoft is confident in, is that users will actually USE the Edge solution.
That's a cute assumption you've got there. Good luck with that.
Re: (Score:3, Funny)
At least we won't have to retrain all the users! "Yeah, yeah, just click on the 'E' to go the the Internet. What? It looks a little different this year? Oh, that's because Al Gore changed the icon in his latest patch. Don't worry about it."
Re: (Score:1, Troll)
I really look forward to rewriting the 30-40 corporate .NET apps (That only ever worked in IE).
Yeah...IIIIII Love it!
You stupid Fuckers, Microsoft.
Re:How hard will this break Corp Intranet apps? (Score:5, Insightful)
Why were you stupid enough to write apps that only ever worked in IE to begin with?
Don't blame microsoft for your stupidity. We have enough to blame Microsoft for that is legitimately their fault.
Re:How hard will this break Corp Intranet apps? (Score:5, Informative)
Re: (Score:2, Informative)
I would even suggest that IE is just a minority of browsers surfing the net these days. Every time I use IE, I wonder how anyone considers it useful. Just yesterday, I saw a very interesting rendering bug in IE (I have to use it for testing) on a website. Apart from being slow and clumsy, it is still that buggy.
Re: (Score:3)
IE is still my favorite browser - I like it's UI. It's all subjective.
Not sure where you'd get an overall picture of "browsers surfing", but the stats I've seen have IE at just over half (all versions combined), followed by Chrome, with FF just hanging onto a respectable share.
Browser stats: IE performs mostly poorly in 2015 (Score:2)
There's a good Wikipedia page that breaks down the usage shares of web browsers, along with addressing the difficulties and complications of getting accurate data on this. https://en.wikipedia.org/wiki/... [wikipedia.org] is the page. From there you can see that the best IE can get is in some of the stats and only when counting purely desktop browsing. Net Applications has IE at nearly 58%. Yet, almost every other measure finds them woefully behind. For example, visits to Wikipedia in March 2015 have IE at less than 11%. S
Re:How hard will this break Corp Intranet apps? (Score:4, Informative)
Some of us have to write .net in the environment provided and using the rules provided. In the case of my major defense company employer, that is VS/SQLServer/.NET/IE only.
Re: (Score:1)
If you really know HTML/Javascript for your client side code, it will work in other browsers anyway. It's only bad coding that works in IE only. If you used ActiveX client side, that's a security problem that I would think a major defense company would have already eliminated.
Re: (Score:2)
It's code generate by the tools I was provided and mandated to use.
Re: (Score:2)
Going back to the parent post, it's still a bad plan. That just means it wasn't your bad plan.
Unfortunately (Score:2)
I know many places that only wrote IE code because it was simple to plug in other MS data. I have never agreed with this mentality, but it's not always a question of developers choosing to do so. Upper management forced it to increase profits.
The simple fact is that MS sold itself to the devil attempting to monopolize the market. The whole point of IE has been to make it so easy to access other MS data that nobody could compete, no matter the security implications (anyone else remember active installer?)
Re: (Score:1)
Then they can pay you more to update them as well. So it really shouldn't fucking matter you little whiner.
Re:How hard will this break Corp Intranet apps? (Score:4, Informative)
Write against a vendor locked-in API, get vendor locked-in.
Re: (Score:2, Flamebait)
Serves you right for deliberately making incompatible apps. .NET existed.
The world has known about the evil of IE-only apps well before
Re: (Score:1)
I have passed on your comments to my several levels of managers and the several teams of software architects/DBA/Quality people in my 100 billion plus market cap company.
Re: (Score:2)
I have passed on your comments to my several levels of managers and the several teams of software architects/DBA/Quality people in my 100 billion plus market cap company.
The appeal to authority and the appeal to popularity in the same comment! You could have been more fallacious, but you would have had to work at it.
Re: (Score:1)
It's is an acknowledgement of the authority that pays me and provides the tools and environment I have to code in.
Some of us actually have jobs, managers, etc.
Re: (Score:3)
In an earlier post, you blamed Microsoft, with your comment "You stupid Fuckers, Microsoft", for the headache they've caused you with their ecosystem. Your blame is misplaced, though. It is the fault of your authorities, who selected that ecosystem, and yourself, for agreeing to use that ecosystem. It's common knowledge that when you give control over your platform to another company, you accept the risk that the platform no longer suits your needs in the future.
Your options are to accept the change and rew
Re: (Score:2)
You are right. I should have told my managers they are idiots and that the last 10 years of efforts by hundreds of employees is shit and should be abandoned.
What world do you live in?
Re: (Score:2)
One where you express your concerns tactfully, then when your superiors make a decision you either accept it and adapt or don't accept it and find new superiors. In both cases, you take responsibility for the choice *you* made.
Either you agreed with them it was the right thing you do, in which case you don't blame Microsoft for changing their platform that you signed up to use, or you disagree with them and find a job that does things differently.
I'm not saying you made the wrong choice here. I'm saying tha
Re: (Score:1)
What in the actual hell is wrong with your dev team that they so incompetently bypassed all of the browsercaps stuff built into ASP.NET? I've been a .NET developer for close to 10 years, and I've never had to even think about which browser needed to access any web applications I've made. They've all worked OOTB with every major browser. (The only exception I can remember was that the very early versions of the AJAX extensions had some issues with Safari. But that was, at the time, an optional external libra
Re: (Score:2)
Wait, you wrote stuff for .NET and you can't port it to other platforms?
Have you ever heard of design paradigms?
Re: (Score:2)
It's server-side code anyway. The client side should only ever be receiving HTML/Javascript. And if your HTML/Javascript is so bad that it only worked in one browser (worst of all IE-only), there's no hope for you.
Re: (Score:2, Informative)
Have you ever heard of a company that has specified tools, legacy tools, requirements that are given to you and that you must adhere to? I have, I work for one. They have tons of code and intranet sites written specifically for how IE works.
Re: (Score:2)
Re: (Score:2)
Sounds like management backed the wrong donkey.
Fixed your post.
Re: (Score:2)
I'm beginning to think not many of you have worked in a very large defense company where code is audited and certified.
Tools, code snippets, etc are written, tested, undergo a security audit and then certified for use. If MS changes the way something works, Single Sign on for instance, then that code has to be retested and re-certified. There are no Cowboys here and every last change is backed with paperwork and multiple signatures.
We have an infrastructure built up over years that is tightly integrated wi
Re: (Score:2)
There is nothing in .NET that requires you to write bad code that only works in IE. NONE AT ALL.
Re: (Score:3)
Don't worry, a few days after release we will find that all the old crap can be turned on with registry tweak. Microsoft never writes new programs. They are just polishing a turd as usual.
Either way, I have seen so many low-power, corporate users switch to Chrome in the last couple years that I doubt Edge will get the market share typically enjoyed by IE. After all, it was the masses not willing to be early adopters of Firefox, Chrome, or Opera that kept IE in the forefront. Once legacy business apps that require IE (probably 8/9 with a smattering of 7 and 10) disappear or are converted, Edge will just be another browser. And "IE" usage stats won't prop it up because as a browser it will nec
Re: (Score:2)
I'm more than willing to try Edge. My barebones, current version, no-plugin version of Chrome has been slowing to a crawl lately. So much so that I've considered making IE or Firefox my go-to browser again (all of them are installed --- typical dev)......and IE has a slight lead because Firefox has always been so bloated.
Re: (Score:2)
The first edition (Score:1)
of ANYTHING should be assumed to be insecure.
That's a whole lotta new code that nobody with a less-than-white hat on has had a crack at.
Don't get me wrong - I'm glad they're using more practices that are in line with best security practices for browsers, and are removing some obvious attack vectors by sandboxing off code execution. But you'd be foolish to assume that they've got everything right the first time.
Re: (Score:2)
Any modern browser is good enough IF their UI is usable. What makes I.E. and perhaps Edge last in line is the pathetic amount of add-ons and plug-ins. Last time I looked there was less than 10. The other unmentionable is the UI. The clean look trades off functionality. Why bury common functions? What's the point?
Re:The first edition (Score:5, Informative)
Except it's really effectively Trident 8.0 / IE 12. Only, they forked it and removed all the legacy support from it, then left a copy of Trident 7.0 / IE 11 around in case you need legacy support still. So it's not really the first version of anything, and it's not like it's completely from-scratch code.
Re: (Score:2)
So you're saying that they ripped out all the legacy shit that old IE-only apps (and malware) relied upon, and now they're blowing the trumpets about how secure they are?
I guess I'd be impressed if they got to a reasonable level of security without breaking every legacy app that they convinced people to write against their leaky web APIs.
Re: (Score:2)
If you write to HTML5/CSS3 standards, any web app written in the last few years can easily target IE9+ and work on Firefox/Chrome/Edge with no issues. It's only people who rely on huge bloated frameworks to provide backwards compatibility with IE6 that have issues with their stuff suddenly not working on IE10 or IE11.
Basically, right now, everybody needs to drop IE8 support, and you can pretty much stop using jQuery and modernizer and all that other cruft. If you drop IE9 support (which is really only Vista
Talk the talk, but doesn't walk the walk... (Score:5, Interesting)
.
Remember when Microsoft declared the buffer overflow bugs were eliminated from Windows XP [theregister.co.uk]?
Re:Talk the talk, but doesn't walk the walk... (Score:5, Insightful)
The problem is that new code is just that ... new and untested.
So you build something new from scratch and say "wow, we did awesome at teh security". Well, OK, now you release it into the wild and wait for people to abuse it -- that's when you find out how well you've done.
Any new code is going to have the problem, because it hasn't been field tested or through several iterations.
It's all well and good for Microsoft to say "nailed it". That doesn't make it true. So I think it's probably safe to assume that unless Microsoft has done something remarkable, there's probably a bunch of places where they haven't fully locked it down.
Re: (Score:2)
...It's all well and good for Microsoft to say "nailed it". That doesn't make it true....
Bingo!
.
And that's why I provided substantiation to show that Microsoft is often over-confident when it comes to such pronouncements.
Re: (Score:1)
So you reference an article that's ten years old?
Not for nothing, and while there are plenty of ways to have insecurity in an OS... I think Microsoft's history especially as of late has been pretty good on that front. IE11 is a bastardized product and while I like the rendering engine because of how smooth it is and low memory, the browser is useless for me. If Edge can maintain that memory footprint, the smoothness, and add better HTML5 compatibility + extensions... I will give it a shot.
Re: (Score:2)
So you reference an article that's ten years old?...
Yes. The article's true. An oldie but a goodie.
.
Given all the recent problems with Windows Update, and that Microsoft wants to use home users as beta test sites for future Windows Updates, I would think the 10 year old article is pretty close to reality nowadays.
Re: (Score:2)
Linux and Apple also used to talk about how secure they were......until they weren't. The only secure computer is one that's never been turned on.
Secure? (Score:5, Informative)
They support WebGL which is going to be the next attack vector as well as continuing to support flash with sandboxing that the hackers will tear to shreds in short order.
This is project proposal V 1.0. (Score:4, Insightful)
A great news to many is that old unsecure plugin interfaces are not supported at all: VML, VBScript, Toolbars, BHOs, and ActiveX are all nuked from the orbit
This looks like what the dev team presented to the upper management about what it wants to do. It will undergo several iterations. Some powerful customer will demand some interface to be supported or else... Some managers will insist on some form of backward compatibility mode. Some bing! advertisement people would ask for "special" interfaces to their team to let them "leverage" & "synergy" and other buzzword bingo stuff. There will be compromises. Some managers will insist with straight face, "yes, yes, this scripting interface is supported, but we say very clearly in the documentation it is not to be used for fresh code and it is to be used only for backward compatibility reasons, so it is not a security threat".
Finally they will be wondering why security was compromised, and blame it on the open source zealots and prejudice among the uninformed and marketing by competitors and assure themselves "it is not our fault, we did not do anything wrong".
Re:This is project proposal V 1.0. (Score:5, Informative)
Some powerful customer will demand some interface to be supported or else
No, they're shipping IE11 with enterprise compatibility mode to support back to IE8 quirks which will be fine for 99+% of their customers for legacy apps. Trust me, most of their customers are going to be happy to have a standards compliant browser as the default, the only trick will be in the mechanism to kick user over when they try to go to a corporate site that needs classic IE within Edge and keeping that mechanism from being abused by the bad guys.
Possibilities (Score:5, Interesting)
But as a long time hater of Redmond products, am I sensing some sort of sea change?
It's just within the realm of possibilities that the Ballmer days of "When I want your opinion, I'll tell you what it is," are over? In more than just name?
I intend to give them a chance here, maybe its the same old Microsoft. Maybe not.
Re: (Score:2)
It's just within the realm of possibilities that the Ballmer days of "When I want your opinion, I'll tell you what it is," are over? In more than just name?
I'm not sure about that, they had a good start menu implementation early in the windows 10 tech preview and managed to mess it up and haven't listened to anyone who has told them that the new shrunken start screen alternative in the newer builds is crap so I don't think that part has changed that much. There are other positive changes happening at MS,
Re: (Score:2, Insightful)
I intend to give them a chance here, maybe its the same old Microsoft. Maybe not.
At best, Microsoft is a corporation, whose entire purpose is to make money. What sort of chance is worth giving them?
Re: (Score:2)
At best, Microsoft is a corporation, whose entire purpose is to make money. What sort of chance is worth giving them?
There's always the chance that they will, to the same extent as other software companies, deliver what they promise.
I know, I know, I can't stop laughing either.
Re: (Score:2)
I would say that 'good business' is when you make a transaction and both parties walk away satisfied. It's not easy but I think it is possible for a corporation to be run that way.
Re: (Score:2)
Re: (Score:1)
A corporation is a corporation is a corporation. The CEO is just the face of it. Yeah, it's kinda nice not having SB in our faces, but other than that, MS still wants to lock in as many customer and developer bases as it can. So do all of its major competitors, including the open source ones.
Re: (Score:2)
Key term: "make sure that users consider it" (Score:1)
So, are they admitting that their interest is not in making a secure browser, but one that the users consider to be secure? With that attitude, failure is not an option, it is a certainty.
Everybody says that. (Score:1)
Big deal. When was the last time you heard a company say they *didn't* have confidence in the security of their product? It's like parents saying their kids are beautiful, even if said offspring has a face like a stepped-on cowpatty.
Re: BHO? (Score:3)
Re: (Score:1)
Barack Hussein Obama
Re: (Score:1)
browser helper object, basically a COM extention of the browser
Re: (Score:1)
In context, it's a Browser Helper Object. (Bullshit toolbars, generally.)
If you google it, you'll most likely going to find a republican ranting about Barack Hussein Obama.
Either way, "BHO" is never a good term to read about. You're either going to hate the world for spam or for politics.
Google Chrome Frame (Score:2)
In context, it's a Browser Helper Object. (Bullshit toolbars, generally.)
#NotAllToolbars are bullcrap. For a while, Google was making Chrome Frame, a BHO for Internet Explorer. If a copy of IE had Chrome Frame installed, a page could opt in to being rendered with Chrome instead of Trident. This was helpful when most IE users were stuck on IE pre-9.
Re: (Score:2)
Except if you had enough rights to install Chrome Frame, you could just use Chrome as your main browser and use the IE Tab extension in Chrome for those few pages that need IE.
Re: (Score:2)
I'm guessing that Google Chrome Frame was designed for Group Policy deployment with the converse of the behavior you describe: use IE by default, including for intranet sites, and use Chrome for sites that request it.
the obvious solution (Score:1)
A blacklist of sites distributing this crap exists (Score:2)
Here's the solution that nobody apparently has the balls to implement. Have a blacklist of common malicious adware plugins then block them all.
I know someone who makes a blacklist of the sites from which these "common malicious adware plugins" are served. He distributes this blacklist as a configuration file that your computer administrator can place in the etc folder. Once the file is installed, your machine will try to access 0.0.0.0 instead of the malware distribution site, which causes the malware to not get downloaded.
Learn more about blacklisting malware sites [pineight.com]
Re: (Score:1)
Looky here. Hosts file mods are ok, but when it becomes too unwieldy it slows the crap out of any browser and blocks sites you really want to see. Blocking 3rd party sites sometimes makes the parent page not work.
So far add block is the only solution and setting that up on IE is a pain and quite flaky so unless Edge has something familiar, I can't and won't use it.
The other recommendation is to get all flash requests to ask before running. Saves bandwidth and autorun video and other stuff and makes pages lo
Re: (Score:1)
Re: (Score:2)
What Does Edge Have to Offer? (Score:2)
Lame name (Score:2)
It was cooler when it was project Spartan
Re: (Score:2)
They did better than I expected. I thought they'd repeat what they did with their word processor and call it "Browser".
I'm taking bets. (Score:3)
I'm taking bets that the first exploit of the Edge browser will be call "Bleeding Edge"
Schneier's Law (Score:2)
Here is the problem... If you only allow a few thousand people to look at your source code, and fully test your product, then you only have to design security clever enough to evade the efforts of a thousand people.
In order for something to be secure, it needs to be widely published, and universally assaulted.
Mixed signals (Score:2)
Is it really IE 12 or not? (Score:2)
Did rebranding IE12 into "Edge" include the browser identification string? Are there any signs of the app is still essentially a new version of IE.
I doubt they started completely from scratch and with different staff than IE 11...
A new app name doesn't make this any different than 11 was from 10... so is it really more significant? or is this just merely a rebranding from the trusted MS marketing department.
Re: (Score:2)
As far as I know, it is IE 12 (Trident 8.0), but they consider it a fork, which means technically you can have different features and support in Edge 1.0 and a future hypothetical actual IE 12. Mostly what they did was *remove* all kinds of backwards compatibility stuff from Edge, so that you can't trigger IE10/9/8/7/5 (yes, 6 was not a choice) rendering modes anymore. You can't use VBScript, ActiveX, and all kinds of other non-standard stuff. IE10+ is already a pretty decent modern browser, very much on pa
Ad blockers? (Score:1)
A great news to many is that old unsecure plugin interfaces are not supported at all: VML, VBScript, Toolbars, BHOs, and ActiveX are all nuked from the orbit.
I take it this also eliminates any existing ad blockers? Is there an alternative plugin mechanism that would allow for new ad blockers?
We know we got it wrong before, but... (Score:1)
We know we got security all wrong before, but trust us, we're much better now. We've learned from our mistakes and have closed all possible security holes.
Oh, and we're also going to be standards-compliant so developers can drop all of the old Microsoft-specific CSS and JS coding.
7 Days (Score:2)
Nuked from *THE* orbit? (Score:2)
Doesn't anyone watch classic movies anymore? And they said that line TWICE.
Awww, c'mon guys - I know that we hate MS here... (Score:2)
...but isn't this the equivalent of going over to a bunch of kids on the playground and saying "That new kid over there said he could beat up each and every one of you! With one hand tied behind his back!"
What I'm wondering is: who paid to have this on /.'s front page so that armies of geekdom are mobilized to find all the new, Edgy exploits?
Security in the Browser? (Score:1)
Of course it's secure! (Score:2)
Nobody is using it yet!
Why didn't they do this with IE? (Score:1)