Bill Gates' comment on 10/22/2007: ======================== We have had various tools over the years to try and verify the security of protocols and their implementation. I wonder if any of those tools could have spotted these problems. I guess most of those models didn't model cross-site scripting attacks. The problems described here seem quite serious and we should certainly improve our products�both server and client. These error handling cases are often a source of security problems. I am less clear on our thinking about helping others but I will explore that with an email dialog. I guess the fixes to these problems will not create compatibility problems. To be honest I have never been clear when a site should use HTTPS and what the clear cut benefit to the user is. I know I get all sort of funny messages about going in and out of secure areas unless I tell the browser to stop telling me about it, which I always do. This is a nice piece of work and reminds us how hard it is to have systems that are secure. =======================