'; window.popUpWin.document.write(zhtm); window.popUpWin.document.close(); // Johnny Jackson 4/28/98 } //--> Windows 98 Professional Reference -- Ch 30 -- Internet Security


Windows 98 Professional Reference

Previous chapterNext chapterContents

- 30 -
Internet Security


This chapter identifies the most significant security concerns that you should be aware of as you access the Internet from Windows 98. In addition to knowing how to identify these threats, you also need to learn ways to minimize or eliminate them.

Among other things, this chapter examines the following topics:

The Problem of Internet Security

Security concerns often prevent users from fully exploiting the Internet's vast resources. Although these security risks are real, they are often not as threatening as people believe. With the proper understanding of the risks and the proper configuration of your system, you can minimize and often eliminate these risks.

As a practical matter, the likelihood that a user would encounter problems in any of these areas when dealing with a trusted web site is rather small. Due to the use of encryption by web sites and browsers that support it, using your credit card to buy something over the Internet is at least as safe as, if not safer than, giving someone your credit card number over the phone or in person. However, you have to use common sense anytime you give out such information, whether it be over the Internet or in your nearby restaurant.

In 1996 and 1997, there were an increasing number of incidents where someone would find a new hole in the security of Internet Explorer. Some of these holes were rather insignificant, but others had a greater possibility of actually opening up your computer to malicious activity. This led Microsoft to post several updates to Internet Explorer that fixed these problems as they became known. Several critics maintained that, due to its support for ActiveX controls and its closer link to the operating system, Internet Explorer contained inherent security problems that could not be solved without substantial changes. It was against this background that Microsoft continued its efforts to make one the securest and most versatile web browsers available. Although no browser can ever be 100 percent effective against all forms of security risks, Microsoft's efforts to address these security issues led to the new features found in Windows 98 and Internet Explorer 4.0.

Internet Explorer 4.0 includes a number of security advancements, such as support for Secure Sockets Layer 3.0, Transport Layer Security (a new secure channel protocol), CryptoAPI (a way to handle elements such as encryption, decryption, and digital signatures through the use of a standard application programming interface), and Microsoft Wallet. However, some of the most innovative and helpful security advances relate to the ability to assign different levels of trust to web sites, ActiveX controls, Java applets, and other web content, and these are some of the topics in this chapter.

Possible Threats (Ways to Break In)

When it comes to security on the Internet, there are two real types of security situations:

This section alerts you to the most likely ways in which someone else could cause problems on your computer; the section "Setting Up Internet Security" later in the chapter provides the details on protecting yourself from each type of vulnerability. Although Windows 98 is configured by default to protect you against many of these security risks, you need to fully understand them to effectively protect yourself against such security breaches.

File and Printer Sharing

One of the most obvious and problematic ways to open up your computer to possible security problems is to enable file and printer sharing. If you open the Control Panel and double-click the Network icon, the next window contains networking information, such as the various network protocols that are installed on your system, as well as a button for File and Print Sharing. If you click this button, a smaller window enables you to share your files and printer with other people, as shown in Figure 30.1.

Figure 30.1

If you permit file sharing on your computer, you could unknowingly allow other people to access your system while you are connected to the Internet.

Normally you would select either of these options only if you were connected to a local or wide area network where you wanted to share these things with other users on that closed network. However, by enabling these options, you open up the possibility that other users on the Internet may be able to access your computer as well. Although the possibility of this happening is probably remote at best if you use a dial-up connection, you should strongly consider disabling this feature in the TCP/IP settings for your dial-up adapter, particularly if you often remain connected to the Internet for very long periods of time. Similarly, if you have a direct connection to the Internet, such as on a local area network, you should probably not enable this capability unless you also use a firewall to prevent users outside of the network from accessing your computer.

NOTE: A firewall is a system designed to prevent unauthorized access to or from a network. Firewalls can be implemented as software or hardware and frequently are used as both. All messages passing to or from the network must go through the firewall. The firewall examines every message and blocks any that do not match specified criteria. This criteria can take several forms, allowing the blocking of messages to or from certain IP addresses and/or messages of a certain type or from a certain application.
Firewalls can be useful in several situations. First, they can prevent unauthorized access by users on the Internet to a local network. Second, firewalls can prevent certain types of access by users on the local network to the Internet; for example, you can use firewalls to discourage employees from browsing certain web sites or newsgroups.

Windows 98 alerts you if you attempt to enable file sharing on the same TCP/IP connection that you use to connect to the Internet, such as over a dial-up adapter. Microsoft highly recommends that you disable file sharing on the connection used for the Internet. For additional information on enabling file sharing on your computer while still protecting yourself from Internet-based attacks, see the section "Setting Up Internet Security," later in the chapter.

ActiveX Controls

ActiveX controls are programming components that can be added to a web page to give it functionality previously available only in stand-alone Windows applications. You can use ActiveX controls for thousands of applications, such as easily providing database access within a web page or providing a viewer for streaming video and other content. Most ActiveX controls can be used either within a browser that supports such controls, such as Internet Explorer, or in a software application. Although a large variety of different ActiveX controls can be purchased or, in some cases, downloaded for free from software vendors such as Microsoft, you can also use languages such as Visual Basic and C++ to create your own ActiveX controls

One of the greatest advantages of ActiveX controls is that they can interact directly with the Windows operating system; for example, ActiveX controls can make Application Programming Interface (API) calls and perform other system-level functions. Although this functionality makes it a lot easier to create applications that run on the Internet, it also creates a large security hole. An ActiveX control can be designed to shut down your computer, erase your hard drive, and perform just about any other task that can be done with other Windows programs. As such, ActiveX controls can be much more dangerous than computer viruses and other such problems that you may have tried to protect yourself against in the past. Thus you should exercise a degree of caution in allowing the use of ActiveX controls on your system.

The main way to protect yourself against malicious ActiveX controls is to monitor which controls you allow to be installed and executed on your computer. You can restrict the use of ActiveX controls by using the security zone settings provided through Internet Explorer 4.0 and discussed fully in the section "Security Zones." The Windows 98 Authenticode 2.0 technology, also discussed later in the chapter, can determine whether the control has been signed. Then you can decide whether to use the control based on the information supplied by that signature. In the end, unless you elect to block all ActiveX controls, you will need to exercise some common discretion before allowing controls to be installed on your computer. Thus, although you might allow controls signed by Microsoft to be installed, you should be wary about allowing the use of controls on sites that you do not fully trust. This vigilance offers virtually the same level of protection that you would obtain from a retail software product. You can elect to enable ActiveX controls only from companies or services that you trust.

Java Applets

An important change in Java support in Internet Explorer 4.0 is the capability of Java applets to work outside the "sandbox." Originally designed to address security concerns about Java applets, the sandbox model ensures that Java applets downloaded to a browser over a network (including the Internet) can work only within the browser itself and cannot access the disk drives or other parts of the system. In Internet Explorer 4.0, users also have the option of allowing Java applets to work outside the sandbox and have access to all parts of the computer, including the capability to write to the hard drive and access the operating system itself.

This feature opens security issues that are similar to concerns about ActiveX controls. To assure protection from malicious code, the capability of working outside the sandbox should be used only with the new security features in Internet Explorer 4.0. For more information on using Java applets with the related security options, see the "Security Zones" section of this chapter.

Active Scripting

A related area that presents security issues is Active Scripting. Just like ActiveX controls and Java applets, scripts are downloaded from web sites and executed within the browser. The two types of Active Scripting supported natively in Internet Explorer 4.0 are VBScript and JScript. Both of these are subsets of established programming languages.

VBScript is based on Microsoft's Visual Basic language that is used to develop software for Windows operating systems. Many of the advanced features in Visual Basic are also found in VBScript. Although you can't directly access the operating system in the same depth as with ActiveX controls, allowing the use of VBScript raises security concerns not found in straight HTML, because the script executes one or more procedures from within your browser.

Similarly, JScript, which is based on the Java language, also executes within the browser to perform tasks designated by the script. Although VBScript and JScript don't have the same degree of system-level contact available to ActiveX controls and Java applets someone with malicious intent may be able to use these scripting languages to damage to your system.

Just as with other programming elements, you can either limit or completely disable Active Scripting within Internet Explorer 4.0. These security precautions are discussed more fully in the section "Setting Up Internet Security."

Other Threats

In addition to the major security risks that might arise when you connect to the Internet, many other security risks are associated with the specific software in use on your computer. Some programs allow you to enable different, proprietary forms of file sharing and remote computer control over the Internet. The use of any such program would raise security concerns because it allows people to connect to your computer, and as such you need to exercise discretion in the degree and frequency with which you use this type of software. Similarly, some Internet Chat programs enable you to transfer files from your computer to other users on the Internet. Again, anytime you open a door to your computer, you create a possible means by which an unscrupulous user might attempt to copy or delete files from your computer without your knowledge and consent. Although any such software can have great uses and make your computer a better tool, you should always take extra precautions and make sure that you fully understand the related security mechanisms and risks before using such software.

Another potential security risk associated with the Internet involves sending personal data to a web server over an unsecured connection. Any time you visit a web site; fill out a form with your name, address, and other information; and press the Submit button, the data usually travels in an unsecured form across the Internet to its destination on the web server to which you are connected. As such it could be intercepted along the way. Interception is a particular concern regarding the transmission of credit card numbers and other sensitive data. Although in most cases it is unlikely that anyone would attempt to intercept this data, you should attempt to protect this information as much as possible by using secure web sites.

Secure web sites use encryption to set up a secure connection between your web browser and the web server to which you are connecting. Data is encrypted on your computer, sent over the Internet, and decrypted on the web server. This added security mechanism makes it nearly impossible for anyone to effectively intercept and misuse your sensitive information. For additional information about encryption and secure transaction on the Internet, see the sections "128-Bit Encryption" and "Secure Transactions" later in this chapter.

Setting Up Internet Security

Having examined the major security risks associated with browsing the Internet, this discussion now turns to methods and procedures that you can take to protect yourself from these risks. By properly configuring file and printer sharing, and through the effective use of the security zones included with Internet Explorer 4.0, you can enjoy safe browsing with little real risk. Features such as Certificate Management enable you to predetermine which software is trusted and can be installed without any intervention on your part.

Configuring File and Printer Sharing

As mentioned previously, the security risk in using file and printer sharing is relatively small if your connections to the Internet are for short periods and you use a dial-up connection. The risk is low in this environment because anyone trying to access your computer would need to know (1) how to locate your computer, such as by its IP address, and (2) that you were online at the time that he or she wanted to gain access. Most Internet Service Providers assign a different IP address to your computer each time that you connect, which makes it relatively difficult for someone to locate your IP address and attempt to connect to your computer. Further, unless you had just hit that person's web site (some sites log the IP addresses of all viewers) or unless you had given someone your IP address while your were online, such as exchanging information in a Chat session, most people would have a difficult time determining when you were online. Because few users could determine both your IP address and your online status, the likelihood of anyone connecting to your computer is relatively low.

NOTE: If you're online permanently, through a cable modem or a direct Internet connection, the file and printer sharing poses a much more significant risk.

that if you want to enable file sharing (see Figure 30.2) over the TCP/IP protocol for some reason, for example, you use TCP/IP over your local network and you also use that same connection (as opposed to a modem) to connect to the Internet, then you can further protect your computer from this type of attack by requiring passwords to access data and by making all access read-only. Merely enabling file sharing on your computer opens up few real security problems unless you actually select files, directories, or disk drives to share. This is done in the Windows Explorer. By right-clicking on any of these and choosing the Sharing option, a window will open that allows you to set the level of access for other users.

Figure 30.2

If you decide to enable file sharing on your computer, be sure to use some form of additional protection such as requiring the use of a password to access the data.

By selecting the Shared As option, you can specify a password that a user has to know before he or she can access any shared data. The best option would be to make all access read-only and to require a password for that capability.

In most cases, however, the best solution to protect your files from access by other Internet users is to disable file and printer sharing for the TCP/IP protocol that is bound to your dial-up adapter. If you have configured your computer to access the Internet through a modem, you can disable file and print sharing for that dial-up adapter while retaining sharing on a separate TCP/IP connection to a local network through a network interface card. To do so, open the Control Panel and then double-click on the Network icon. The list of network components on the Configuration tab should include one that says TCP/IP->Dial-Up Adapter, as shown in Figure 30.3.

Figure 30.3

Through the Network component in the Control Panel, you can select the TCP/IP connection for which you wish to disable file and print sharing.

Select that network component by clicking on it; then click on the Properties button to display a Properties window containing information specific to that TCP/IP connection (see Figure 30.4). Before that second window opens, an informational dialog box may tell you that most TCP/IP changes should be made to the Dial-UP Networking connection information for your specific Internet Service Provider. However, you have to change your global TCP/IP Dial-UP Adapter settings to disable file and print sharing, so click on the OK button in this dialog box to proceed to the Properties sheet.

Figure 30.4

The TCP/IP Properties sheet for your Dial-Up Adapter contains the global settings that need to be changed to disable file and printer sharing for that connection.

In the TCP/IP Properties sheet, select the Bindings tab. Assuming that you have previously enabled file or print sharing as discussed earlier in this section, at least two selections should be available; one of these selections is File and Printer Sharing for Microsoft Networks. If this selection is enabled (if its checkbox is checked), then disable it by removing the check from the check box, as shown in Figure 30.4. Click the OK button to close this window and click the OK button on the Network window to enable these settings. You may be prompted to restart your computer, after which file and printer sharing is no longer be enabled for that dial-up adapter. If you have multiple dial-up adapters, then you need to reconfigure each of them in this same manner.

NOTE: If you enable file and printer sharing on a computer that is also configured with a dial-up adapter, the next time you start that computer, Windows 98 should display a System Security Check warning about sharing files and printers over an Internet connection. It will then ask whether you want to disable sharing over the TCP/IP connection on your dial-up adapter, which Microsoft highly recommends. If you choose to disable it, then Windows 98 should automatically make the changes described for your dial-up adapter.

Protocol Isolation

If you are connected to both a local network and to the Internet, you may be able to use an option known as protocol isolation to increase security. Protocol isolation is the process of isolating different networks from one another by using separate protocols on them. For example, assume you have a computer that is connected to the Internet and to a local network. For the connection to the Internet, you must use the TCP/IP protocol. However, you can use a different protocol, such as IPX/SPX, to connect to your local network. This approach prevents anyone who gains access to your system through the Internet from going beyond that point to access the local network.

Security Zones

One way that Windows 98 and Internet Explorer 4.0 address ongoing security issues is with security zones. Every zone has a different level of security, and you can assign these zones to individual web sites, effectively allowing you do designate the security that should be applied to any site you visit. By default, all web sites belong in the Internet zone. This section starts by examining the zones and then explains how to add sites to other zones.

Types of Security Zones

Each security zone has its own security settings. This section looks at the default security settings, but you can also customize the settings for any zone. Internet Explorer 4.0 contains the following four zones:

These four security configurations can either be selected by the user or be designated by a system administrator using the Internet Explorer Administration Kit (IEAK). The administrator can use the IEAK to determine which levels of security to assign to each zone and to prevent the user from making any changes to those classifications. The administrator can also assign certain web sites to each zone. For the intranet zone, all IP addresses located behind a corporate firewall might be included, or the list may include just the IP address for the intranet web server(s) to which the user may need to connect. Through the Automatic Configuration and Proxy Server capabilities in Internet Explorer 4.0 and the IEAK, the browser can be set to check for updated security information, including changes to security zone configurations, each time the browser loads.

Adding Sites to Security Zones

When you visit a site in Internet Explorer, the default setting for that site is usually the Internet zone unless you are viewing a site on your local network, in which case the intranet zone will normally be enabled by default. By adding a site to a different zone, each time that you visit that site your security level automatically changes to reflect the level of the zone to which you have assigned that site. Your browser's security level remains at that level until you switch to another site.

To add a site to a zone, select Internet Options from the View menu of Internet Explorer 4.0. On the property sheet that opens, click the Security tab. Use the drop-down menu to select the zone to which you want to add a site and click Add Site. In the Trusted Sites Zone dialog box, you can enter the URL for the site you wish to add.

The two zones to which you should particularly consider adding sites are the trusted sites and restricted sites zones. As the name implies, trusted sites are Internet sites that you trust to contain content that is not harmful to your computer. For example, it is not likely that Microsoft would place any ActiveX controls on its site that would erase your hard drive without your consent. Therefore, you can probably add Microsoft's site to your list of trusted sites. One of the main advantages of adding a site to your trusted sites list is that you won't be prevented from downloading and installing ActiveX controls and other components through your web browser, which can happen if you have placed your security settings at the highest level.

The restricted sites zone is a good place to enter sites that you know might cause harm to your computer. For example, if you just read about a web site devoted to computer hacking and you want to go view it, it might not be a bad idea to place the site into your restricted sites zone. You would still be able to view the site, but anything on that site that could cause problems on your computer, such as malicious Java applets or ActiveX controls, would be prevented from running or even being installed on your computer. Similarly, if you occasionally visit a site that uses a lot of scripting and ActiveX controls that you don't want to view, you can prevent those items from loading on your computer by entering the site as a restricted site.

If you select the local intranet zone and choose to add one or more sites, a new pop-up window replaces the window that appears on the trusted and restricted sites zones. By default, this new window includes three types of sites that are unique to intranets:

that regardless of whether you choose to leave these options enabled, you can also manually add sites to the local intranet zone in the same manner that you do with the trusted and restricted sites zones. To do so, click on the Advanced button within the Local Intranet Zone configuration window shown in Figure 30.5. Then you can add any sites that you want to include in this zone.

Figure 30.5

The local intranet zone contains additional settings to determine which sites should be included within that zone.

Customizing Security Zones

Although you can choose to use the default security setting for each zone or change the setting to one of the other default settings (high, medium, or low security), you can also exercise fine grain control over your settings by choosing the Custom security level. Viewing the Custom settings also enables you see exactly what the default settings are for the three default security levels.

To customize the settings for a particular security zone, first select that zone then select the Custom option, and click on the Settings button. A Security Settings window appears from which you can designate your custom settings for that zone (as shown in Figure 30.6).

The drop-down box near the bottom of this window enables you to select the default level of security you want to restore. If you select one of these default levels and click on the Reset button, the security settings will be reset according to that default. You can then scroll through the many security settings in this window and see how each one is set for any given default. This information should help you choose a default if you don't want to customize your settings in this window.

Figure 30.6

You can customize the settings for any security zone.

Among the security settings that you can customize, the following settings give you the option of choosing Enable, Prompt, or Disable. The Enable option means that you will not be prompted before downloading or running the component in question. The settings available with these options include

You can also choose security settings for the following options:

Customizing Java Settings

Java applets in Internet Explorer 4.0 obtain new capabilities, but also can be limited by security features. As previously discussed in the Java section of this chapter, Java applets can run outside the sandbox in Internet Explorer 4.0. However, because allowing such applets to write to disk drives and access the operating system is highly risky, particularly when the code is downloaded from an unknown source, Windows 98 provides new security safeguards to help protect your computer. One way of adding a level of trust to downloaded Java applets is through Microsoft's Authenticode technology, which asks you to decide whether to run an applet before the applet is loaded onto your computer. The information presented can include the capabilities of the applet, such as the fact that it may be designed to transfer information back over the network or to write to the disk drives. Based on these signed capabilities, you can decide whether to load the applet on your machine.

You can customize the security settings for Java if you don't want to use the default settings provided in Internet Explorer.

As indicated in the "Customizing Security Zones" section, you can fine-tune the security settings for Java components on your system. To do so, choose Internet Options from the View pull-down menu in Internet Explorer and then click on the Security tab. Choose a zone for which you wish to customize the Java settings, select Custom, and then click on the Settings button. In the Security settings window, select Custom under Java permissions and click on the Java Custom Settings buttons. If you are familiar with Java, you might want to customize some of the many different security options available here according to the exact level of protection that you want.

Authenticode

Security in Internet Explorer 4.0 is also enhanced through the use of Authenticode 2.0, an updated version of the authenticating technology designed to identify ActiveX controls, executables, and Java applets that have been digitally signed using this product. Software developers use this process to obtain a digital certificate from a third-party certificate authority; this certificate enables developers to apply a unique digital signature and time stamp to the code being distributed. Because the certificates use a high level of encryption to protect the digital signature, all certificates have a limited lifetime that is set to expire prior to any date by which the encryption used for the certificate could be cracked. This technology makes it very difficult for someone to impersonate another software publisher. When you download a file that has been digitally signed using Authenticode, Internet Explorer tells you who the author of the software is and asks whether you want to install it.

A new feature in Authenticode 2.0 allows Internet Explorer 4.0 to automatically check the authority who issued the certificate to determine whether the certificate has been revoked since the time it was issued. Thus if a software developer distributes malicious code and if this fact comes to the attention of the certificate vendor, the vendor will revoke the certificate. In such an event, you may get a warning of this revocation at the time that you are asked whether to install the software.

Certificate Management

Administrators can also ensure a minimum level of safety on their networks though the use of Certificate Management. By using the Internet Explorer Administration Kit, network administrators can preselect which digital certificates from software vendors a user is allowed to accept to receive trusted code. The administrator can also designate which certificates the user cannot accept. Thus if an ActiveX control or Java applet being downloaded presents a certificate that is predesignated as being either trusted or not to the browser, the browser can automatically accept or reject the code without the user's intervention. If a certificate server is set up on your network, you can preconfigure users' browsers to automatically accept software signed with certificates issued by that server. Thus software signed by internal software developers could be installed and run without any intervention by the user.

Like other security-related features, the user's web browser can be set to automatically check each time it is loaded to see whether the centrally maintained list of authorized certificates has changed since the last time the user ran the browser. Consequently, the administrator can be assured that every copy of Internet Explorer 4.0 running on the network has the latest security information.

128-Bit Encryption

One of the ways that you can protect your private information, such as when you are purchasing goods over the Internet, is to use the highest level of encryption that is available for your browser. Both Microsoft and Netscape provide 128-bit encryption for their browsers, which is substantially stronger than the 40-bit encryption algorithm supported in the standard version of their browsers. The 128-bit version is currently only available to users in the United States and Canada.

In many cases, you will find that you have the 40-bit version of Internet Explorer even if you purchased your copy of Windows 98 in the United States or Canada. You can determine the encryption strength of your version of Internet Explorer by one of two means:

If you determine that you are using the 40-bit version, you can download the files needed to convert Internet Explorer to 128-bit from Microsoft's web site. Go to http://www. microsoft.com/ie and navigate to the Download section where you can get these files. The web server will verify that you are connecting to the Internet from a location within the United States or Canada, after which you will have to fill out a form verifying that you are legally able to possess this higher strength form of encryption.

Other Security Features in Internet Explorer

To access even more security features in Internet Explorer, choose Internet Options from the View pull-down menu and then select the Advanced tab. One set of options on this tab is labeled Security (see Figure 30.7). With these settings, you can disable Secure Sockets Layer connections (more fully discussed in the Secure Transaction section below), warn you if a site's security certificate appears to be invalid, and warn you when you are moving from a secure page to an unsecured page.

Figure 30.7

In addition to security zones, you can use the Advanced tab within the Internet Options tab in Internet Explorer to set various other security options.

One of the options provided here is to refuse to accept cookies sent to your browser by web sites. Cookies are one of the most misunderstood elements on the Internet. Cookies are generally used by web servers for functions such as keeping track of you as you move about a site. Cookies can store your site preferences and hold data about your session while you are connected to that server. You should be aware that many sites that require user authentication to access that site use cookies to identify you as you move from page to page after being authenticated. If you set the cookies settings in Internet Explorer to refuse all cookies, then you will probably not be able to access such sites. Because cookies are benign by nature, in most cases you should allow them unless you have strong privacy concerns; even then, you might have to enable cookies occasionally to access sites that require their use.

Secure Transactions

As discussed earlier in this chapter, some people are very sensitive about the possible security risks involved in transmitting personal information over the Internet. Regardless of whether this concern is justified or not, Microsoft, Netscape, IBM, and other corporations that are trying to promote commerce on the Internet have continued to increase security on the Internet on both the client and server side. One of the longest standing forms of protecting personal data on the Internet is the use of encryption to secure transactions. Microsoft has taken additional steps to provide other proprietary forms of protection in the form of Microsoft Wallet. This section briefly addresses the use of these technologies in the continuing effort to promote secure transactions in which consumers will feel more comfortable buying goods and services on the Internet.

Encryption

Although you should not generally be concerned about transmitting basic information such as your name and address over the Internet, you should not transmit your credit card number or conduct online banking over the Internet unless you have a secure, encrypted connection to the web server to which you are sending the information. This is really a matter of common sense. Just as you would not give your credit card information to someone on the phone unless you trusted that party, such as a company from which you routinely purchase goods, you should try to protect your credit card information as it travels across the Internet.

Most web sites that take credit cards for goods and services purchased over the Internet use a secure web page to obtain this information from you. Similarly, banks and stock trading services that allow you to make transactions over the Internet need to provide a secure way to exchange information with you. You can tell when you are connecting to a secure web site if a gold lock icon appears in the status bar at the bottom of Internet Explorer's window. Most secure sites use a URL prefix of https:// rather than http://, so this prefix is another indicator that you are probably connecting to a secure site.

However, if you want to be sure that the site is using a secure connection that you can trust, you may want to check the properties for that page. To do so, choose Properties from the File pull-down menu in Internet Explorer. In the properties window, click on the Certificates button. The next window should display information about the owner of the certificate as well as the certificate authority that granted the certificate. The level of encryption employed by that site and other such information is also available by clicking on the various properties listed in this window.

Microsoft's Internet Explorer browser supports several Internet protocols for using encryption to establish secure connections. The most common protocol currently employed by web sites is Secure Sockets Layer versions 2.0 and 3.0. This protocol uses a public/private key for encryption that, when combined with 128-bit encryption, makes it almost impossible for your data to be decrypted by any entity except the web server that established the secure connection with your web browser. Other security protocols that are either directly supported by Internet Explorer or that are being jointly developed by Microsoft and other organizations include Personal Communications Technology, Secure Electronics Transactions, and Transport Layer Security. The main things that you should be concerned about, however, are (1) that the version of Internet Explorer 4.0 supplied with Windows 98 supports all standards-based web sites that use secure communications and (2) that Microsoft is continuing to work with other organizations to improve security and increase your comfort level in conducting secure transactions over the Internet.

Microsoft Wallet

One of the technologies that Microsoft is promoting in its quest to increase Internet security is its own proprietary mechanism for securely transmitting personal and financial information from your computer to a web server. Microsoft Wallet, also known as Microsoft Payment Selector, enables you to store your credit card, address, and other information securely on your computer and then pass this information on to merchants from whom you purchase goods and services over the Internet. that information entered into Microsoft Wallet can be transferred to a third party only if that party's web site is set up to receive such information.

To enter information into Microsoft Wallet, choose Internet Options from the View pull-down menu in Internet Explorer and then click on the Content tab. If Microsoft Wallet is installed on your system, then the Addresses and Payments buttons will be enabled. Microsoft Wallet is an ActiveX control that might not be installed on your system by default. If it is not installed, you can add it by using Add/Remove Programs in the Control Panel and then selecting the Windows Setup tab. Microsoft Wallet is one of the Internet Tools subcomponents.

Conclusion

This chapter discussed Windows 98 Internet security features and described some strategies for securing your Windows 98 PC from malicious code and unauthorized access. For more on configuring Windows 98 for the Internet, see Chapter 28 "Setting Up Windows 98 for the Internet." You may also wish to see Chapter 25, "Windows 98 with TCP/IP," which discusses how to install and configure the Internet protocol TCP/IP.

Previous chapterNext chapterContents

Copyright, Macmillan Computer Publishing. All rights reserved.