New Internet Explorer 8 secures, slices, smokes
As suspected, Microsoft used this week's MIX09 conference to unleash Internet Explorer 8, downloadable as of noon today (EDT). Our initial tests on the final release indicate that Microsoft's promises of better performance and security are realized, and that the team goal of creating "a better way to waste time on the Internet" has been realized too -- in the good sense.
But serious matters first, and both speed and security are seriously better in IE8. Betanews has executed its own speed tests during the beta period, and our tests indicated that it was at least twice as fast as the previous version; Microsoft's own tests on the RTW (release-to-web) version claim it to be between two and four times as fast.
Security's looking good. IE senior director Amy Barzdukas told Betanews that the development team had three goals for the 8.0 version -- protecting people from sites that attempt to phish their information or infest their machines with malware, protecting users from themselves (that is, from the tendency to ignore confusing warnings or to use less than good sense when clicking a savory link), and extending security "beyond the browser" to compromised servers.
The most significant effort involves expanding IE's detection efforts past its current ability to identify phishing sites. The browser can now also flag suspected or known malware sites, or sites attempting to infect visitors with malware. The need for SmartScreen is great; during development, Barzdukas says, Microsoft found that infectious sites outnumbered phishing sites by a charming 10:1.
In our tests, the detection was effective, correctly jumping on sites we knew to be infected with various bits of feral code. The warning we received, designed to support that second goal of protecting users from themselves, was perhaps even more effective than a harried tester would have liked -- if the browser sees that you're headed for a site already known to be problematic, it throws up a bright-red page warning you to turn back to your home page or inviting you to get more information. What you can't do is easily go anywhere else; there's no "OK" button to click. That design choice may have been a bit unnerving for a reviewer, but I'm personally planning to install the browser on my mother's machine for that feature alone. I also liked the simple visual indicator in the address bar that bolds the actual domain to which the URL points; a feature designed to give a visual cue that, say, "yourbank.com.evildudes.com" might not be the safest URL for checking your account balance.
Security isn't just about keeping users away from the bad stuff, of course; you've got to get out of their way so they can smoothly reach the good stuff. In the case of cross-site scripting attacks, a page might contain a mix of legitimate and malicious code. For those pages, IE8 is designed to detect and block the malicious code while allowing users to access the legit material. Betanews were unable to test this feature in the amount of time available to us.
The browser's also working on that third goal -- security "beyond the browser" -- while all this is happening. If an infection is detected, the browser passes the information back to Microsoft, which in turn can notify infected sites that they have a problem. We've seen this before over at Google, but considering the market share IE holds, this could be a big help in the fight to keep legit sites free of stealth infections.
Finally from the security front, the InPrivate functionality we saw during the beta process seems to have been refined. as before, it must be accessed from the menu, but once you're in it the mode operates in both browser modes (no persistence of session, no cookies) and in a filtering mode that examines what information might be gathered by third parties such as advertising networks that might have their code in some part of the page viewed. users can choose to block the sending of that information, or can choose which providers may receive it.
Much security thought has been given to how to keep malevolent code from wreaking havoc on the system at large, and a great deal of thinking both inside and outside Microsoft has focused on keeping processes separate -- sandboxing, as some call it. IE8 improves tab isolation and recovery capabilities; when one of the buggiest pages we tested with ran amok, it only knocked out its own tab rather than sinking the entire browser or the OS at large. Further experimentation is needed, but we liked what we saw there.
Next: The more visible tweaks in IE8, including Slices and Accelerators...