IE11 shows that browser security tech has peaked

Every new version of Internet Explorer for a decade has had important new security features. Internet Explorer 11 on Windows 7 has basically none, and that's a good thing.

Security improvements have been a staple feature of Internet Explorer major version upgrades since the Great Security Awakening 10 years ago. Now that Microsoft is getting closer to releasing Internet Explorer 11 for Windows 7 it's clear that the trend has run its course.


Contrary to aged conventional wisdom, recent versions of Internet Explorer are very secure, perhaps the most secure browser available. It's rare for users to get exploited through IE vulnerabilities these days (yesterday's revelations notwithstanding).

There is one interesting new security feature in IE11 on Windows 8.1: support for the WebCryptoAPI, a JavaScript API for performing basic cryptographic functions. I suspect this is less useful for web pages as such and more designed for Windows apps, which are often written in JavaScript.  On Windows 7 there will be no WebCryptoAPI.

The closest thing to a new security feature for IE11 on Windows 7 is WebGL, and no, WebGL is not a security feature. But it's security related because Microsoft had previously sworn that WebGL is unsecurable and had no place in Microsoft products.

The problem is that WebGL exposes a mere thin interface layer between web pages and graphics drivers, a category of software with a dubious reputation for quality.

It seems they've squared the circle, using a combination of certified drivers and a thicker software layer for safety. So it's not so much a security feature as a security mitigation of a dangerous, new non-security feature.

IE10 was also rather thin for security features. The closest one was the integration of the Adobe Flash Player, which should make it more promptly updated. In fact, more significant in IE10 was the removal of several features, like VML (Vector Markup Language), that never caught on but expanded the attack surface.

Security innovations are also not the focus of recent versions of Chrome or Firefox either.

Obviously users still get hacked through browsers, but it's a different sort of problem, usually involving social engineering and no real software error. It's just another way of saying that we've done what we can securing the browser; now we have to secure the user, and that may be impossible.