获取IE7安全改进的细节(下)

翻译

PurpleEndurer 2022-12-07 11:43:05 博主文章分类：系统安全

文章标签 ie internet security browser transactions 文章分类 运维

Get the details on Internet Explorer 7's security improvements
获取IE7安全改进的细节

by Deb Shinder
作者：Deb Shinder
翻译：Endurer

Tags: Security | Internet Explorer (IE) | Web browsers
标签：安全 | Internet Explorer (IE) | 网页浏览器

英文来源：http://articles.techrepublic.com.com/5100-10877_11-6128517.html?tag=nl.e101

(续上)

Better SSL/TLS notification
更好的 SSL/TLS 通知

It's now easier for users to determine whether the transactions they engage in over a Web site (such as Internet banking or using a credit card to purchase goods from an online merchant) are secured by Secure Sockets Layer (SSL) or Transport Layer Security (TLS). These are protocols used by Web sites for authenticating the Web server and encrypting the information that's sent over the Internet.
用户门现在更容易判断他们的网上交易是否由安全套接层(SSL) 或传输层安全(TLS)提供了安全。这些是网站为验证Web服务器和加密通过Internet发送的信息而使用的协议。

《endurer注：1、engage in:从事干(参加)》

IE 7 displays an icon to the right of the address bar when you access an HTTPS page, which you can click to view a report on the digital certificate used for encrypting the connection and information about it and the issuer, as shown in Figure C. In previous versions of the browser, the SSL icon appeared at the bottom of the browser window and was small and easy to overlook.
当你访问一个HTTPS（协议）的页面，IE 7会在地址栏的右边显示一个图标，你可以点该图标来查看关于用来加密连接和信息的数字签名及发行者的报告，如图C所示。在此之前的浏览器中，SSL图标显示在浏览器窗口的底部，很小而且易被忽视。

图 C

The new, more prominent SSL/TLS icon makes it easier for users to determine whether a Web site is secure.
新的，更突出的的SSL/TLS图标使用户更易于判断网站是否安全

Additional security enhancements
附加安全增强
Along with the major security improvements discussed above, a number of smaller changes were made to help make the browsing experience more secure. These include:
与上面讨论的主要安全增强相适应，一些小的改变有助于使浏览经历更安全。这包括：

IE 7 uses a color coding scheme to identify Web sites that have gone through an identity verification process. These sites, which have obtained high assurance certificates, cause the address bar to change to green.
IE 7使用颜色编码体系来识别已通过鉴别认定的网站。已获得高保证书的网站会使地址栏变成绿色。

《endurer注：1、go through:通过》

Three new registry keys, called Feature Control keys, keep HTML (both Internet and intranet) from getting a user's personal information. By default, IE 7 is configured to opt in to this security feature. Access to cached objects is blocked when browsing within the same domain, as well as browsing across domains.
名为特性控制键的三个新注册表键阻止HTML（Internet和Intranet的）获取用户个人信息。在默认情况下，IE 7 被配置为选中此安全特性。在同一个域及跨域浏览时，对隐藏对象的访问将被阻塞。
《endurer注：1、keep from:Keep you from:阻止,妨碍(你)
2、 opt in:决定参加》

You can more easily protect your privacy, especially on shared or public computers, by deleting your Web browsing history files, cached pages and objects (Temporary Internet Files), passwords IE has remembered, cookies, and data you've entered into forms, all from one simple interface (and all with a single button click if desired), as shown in Figure D.
你能更容易地保护隐私，特别是在共用或公共电脑中，即在一个简单界面（并且需要的话只点击一个按钮）中删除网页浏览历史文件，缓存页面和对象（在Temporary Internet Files文件夹中），IE记下的密码，cookies，和你在表单中输入的数据，如图D所示。

Figure D
图D

You can cover your tracks with just one click to protect the privacy of your browsing history.
你只需点击需要保护的浏览历史隐私就可以抹去踪迹

In the past, popups could open new windows that didn't contain an address bar. This made it easier to trick users into thinking a malicious site was legitimate if it was designed to emulate a Web site you'd normally trust. In IE 7, all windows contain address bars so you can see the URL of the site.
过去，弹出机制可以打开一个不包含地址栏的新窗口。这使哄骗用户把一个模仿通常信任的网站设计的恶意站点认作合法网站变得更容易。在IE 7中，所有的窗口包含地址栏，这样你可以看到站点的URL。

《endurer注：1、trick sb. into doing: 哄骗某人做》

Security threats often sneak in the back door via browser add-ons and plug-ins. If you're concerned about this, you have the option to run IE 7 in "no add-ons" mode. This also allows you to fix problems caused by malware that renders the browser unable to open. Previously, if a browser extension was causing IE to crash and you didn't have an alternative browser installed, you couldn't get to the Web to download information or programs to help you fix the problem.
安全威胁通常暗藏于借助浏览器插件的后门中。如果你为此担忧，可以选择无插件模式来运行IE 7。这也允许你修复由致使浏览器不能打开的恶意软件造成的问题。以前，如果浏览器扩展部件造成IE崩溃，并且你没有安装替代浏览器，你就不能打开网站下载有助于解决问题的信息和程序。

《endurer注：1、sneak in:渐显；淡入
2、concern about:对…的关心／忧虑》

Some clever attackers have created URLs that use international characters to spoof legitimate Web sites. That is, the domain name might contain characters in another language that resemble the English characters making up a different domain. This type of domain spoofing is prevented in IE 7 because the browser lets you know that the characters are in a different language.
一些精明的攻击者已创建了利用国际字符的来伪装合法网站的URL，这样，域名可能包含类似英文字符的其它语言的字符虚构成一个不同的域名。IE防止这类域欺骗，因为浏览器允许你知道不同语言的字符。

《endurer注：1、internal character:内在性格》

Glossary
词汇表

ActiveX: A technology developed by Microsoft that is an outgrowth of Object Linking and Embedding (OLE) and Component Object Model (COM), which allows Web developers to make Web pages interactive and provide the same types of functions as Java applets.
ActiveX: 是微软开发的技术，是对象连接与嵌入（OLE）和组建对象模型（COM）的发展，允许网站开发者做交互式网页，并提供与Java applets相同的功能。

User Account Control (UAC): A security technology in Windows Vista that reduces exposure to attacks by running in nonadministrative mode, even when logged on with an administrative account, unless and until administrative privileges are required to perform a task. Users must give explicit permission to elevate to administrative mode and enter administrative credentials.
用户帐户控制（UAC）：Windows Vista中的安全技术，通过在非管理员模式下运行，即使是以管理员帐户登录也一样，直到执行的任务要求管理员权限，从而降低对攻击的暴露。用户必须提供提升到管理员模式的明确许可并输入管理员凭证。
《endurer注：1、reduce to: 降至》

Phishing:A type of technology-based social engineering ploy in which computers users are directed, usually via e-mail, to a Web site that purports to be that of a bank, loan company, credit card company, e-commerce merchant, governmental agency, or other site that requires users to enter confidential information, such as account passwords, account numbers, social security numbers, and other personal data that is collected and used for identity theft.
网络钓鱼：基于社会工程学的技术，通常通过电子邮件，据称是银行，贷款公司，信用卡公司，电子商务商，政府代理的网站,或其他要求用户输入机密信息的站点，诸如帐户密码、帐户号、社会保险号的机密信息被收集并用于身份偷窃。

Scripting:Use of a simplified programming language (calling scripting language) to create a set of instructions for a Web page.
脚本：使用简单程序语言（称为脚本语言）创建，用于网页的指令集。

Security zones:A technique used in Internet Explorer to allow you to assign different levels of security to different sets of Web sites depending on where they're located or how much you trust them. For example, if you consider a site to be untrustworthy, you can place it in the Restricted zone; if you know it's safe, you can place it in the Trusted zone. Sites on the Internet will, by default, have tighter security imposed than those on an intranet.
安全域：IE使用的一种技术，允许你按位置或信任程度分配不同安全级别到不同网站集合。例如，你认为某个网站靠不住，你可以把它放到受限制域；如果你知道它是安全的，你可以把它放到受信任域。Internet上的站点将默认有比intranet中的站点更严密的安全。

SSL/TLS:Transport Layer Security (TLS) is the successor to Secure Sockets Layer (SSL), which was originally developed by Netscape to make e-commerce transactions over the Internet safer. It uses public key (asymmetric) encryption and digital certificates to assure users that the Web servers with which they're doing business have had their identity verified (authentication) and symmetric encryption, such as DES/3DES or AES, to encrypt traffic.
SSL/TLS:传输层安全（TLS）是SSL（安全套接字层）的继承者，起初由网景开发作在Internet安全上的电子商务交易。使用公匙加密和数字签名来保证正在和网站服务器做生意的用户具有身份验证（认证）和对称加密，例如DES/3DES 或 AES，来对交易做加密。