Microsoft Cyber Security Chief Urges Users to Stop Using Outdated Internet Explorer Browser and Move to ‘Modern’ System

by Chris Jackson, Microsoft

From time to time, I am asked by customers, “How do I ensure that all web traffic goes to Internet Explorer?” In fact, I was recently asked this question by someone trying to help a hospital. Now, I understand the scenario. In healthcare (as in many other industries), it’s often the case that you’re running with an extremely thin team. As a result, it can seem that using Internet Explorer be default for all situations is the “easy button” because, well, most of your sites were designed for Internet Explorer, so…just…always use it, ok?

In short, this seems like a deliberate decision to take on some technical debt. It’s true that most organizations have some technical debt lying around. (For example, if you’ve disabled User Account Control, require a 32-bit OS or 32-bit Office suite, or are paying for extended support for a legacy version of Java, you have some technical debt.) But this technical debt? Well, it’s different.

Creating technical debt by default

In the past, Internet Explorer was optimized for simplicity at the expense of technical debt. Looking all the way back to Internet Explorer 6, the very concept of “standards mode” vs. “quirks mode” comes from this “easy button” approach. All existing content (which had no DOCTYPE) would get quirks mode; you got standards mode by adding a specific DOCTYPE.

This, of course, had one little pesky problem: most people neither manually type HTML nor obsessively read the documentation to make sure they get the right DOCTYPE. You see, in the bad old days, you couldn’t just put in <DOCTYPE HTML>, you had to put in a full document type definition (DTD), and what you put in determined whether you’d get standards or quirks. So, it wasn’t just the presence or absence of a declaration, but also whether you put in a correctly formatted and properly chosen DTD, that would promote you to standards mode.

So, what really happened is that developer tools either added this in the skeleton code, or they didn’t. Which meant, if your tool didn’t add this in, you would get Internet Explorer 5 emulation (quirks mode) by default. Getting modern was opt-in because that was easier.

Fast forward, as Internet Explorer standards mode supported more and more standards, we decided not to just update the mode we called standards mode because, when we did, we risked breaking applications written for an older interpretation of the standards. So, with Internet Explorer 8 (IE8), we added IE8 standards, but also kept Internet Explorer 7 (IE7) standards. That meant, for sites in the Internet zone, it would default to IE8 standards, but, for sites in the local intranet zone, it would default to IE7 standards.

Another easy button.

As you can see, by going with the “technical debt by default” approach, we ended up in a scenario whereby if you create a brand-new webpage today, run it in the local intranet zone, and don’t add any additional markup, you will end up using a 1999 implementation of web standards by default. Yikes!

Click here to continue reading…

SOURCE: Microsoft / Tech Community