Internet Explorer 9 Security Part 3: Browse More Securely with Pinned Sites
The Pinned Sites feature introduced in IE9 Beta is a great way to integrate your favorite sites into the Windows 7 user experience. Better still, there are five significant security benefits in creating and using Pinned Sites for secure applications like online banking.
First, when you pin a site you trust to your taskbar, and get in the habit of using that pinned icon to launch your secure experience, you can avoid clicking on links in emails, reducing the likelihood of a phishing attack luring you to a phony site. This “secure launch” behavior also helps reduce the possibility of a typo in the address bar sending you to the wrong site.
Second, Pinned Sites run in their own browser session, independent of the desktop browser. That means that the session cookies set by sites running in a Pinned Browser instance aren’t available for potential abuse by tabs running in your regular IE browser windows.
Third, Pinned Sites run without any add-on Toolbars and Browser Helper Objects, helping to reduce the attack surface of your browser. With less code running, malicious or infected sites have fewer targets for their attacks.
Fourth, when you pin a HTTPS site to your taskbar, you can avoid insecure HTTP to HTTPS redirections. For instance, if you type bank.example.com into your address bar, the first request sent out to the network is destined for http://bank.example.com, using the insecure HTTP protocol. Under normal circumstances, that site will immediately send you a redirect to the https: //bank.example.com site. However, if you use the HTTP protocol from an unsecured network (say, your local coffee shop), an attacker on the wire can intercept that insecure request and send you to his phishing site instead of your real banking site.
Only careful examination of the URL in the address bar and verification of the HTTPS Lock icon’s certificate information will allow you to detect a man-in-the-middle attack like this. However, when you pin https: //bank.example.com to your taskbar, when you launch your pinned banking application, the very first request is already using the HTTPS protocol, helping to prevent the man-in-the-middle from intercepting and redirecting your traffic to a malicious site.
Fifth, when you pin a HTTPS site to your taskbar, you are better protected from man-in-the-middle attacks that target the HTTPS protocol. Specifically, if there is any problem with the security certificate presented when your browser contacts the Web site, the connection is immediately and securely terminated.
For instance, here’s a screenshot showing what you would see if you tried to visit your banking site when an attacker is using an attack tool to attempt to fool your browser with a phony security certificate:
As you can see, no unsafe options are presented that would allow you to “click through” and compromise the security of your personal information.
Of course, Pinned Sites also benefit from the many security technologies and features found in the regular Internet Explorer 9 browser. You’ll see the green address bar when visiting sites that present an Extended Validation certificate and the SmartScreen Filter will help block navigation to and downloads from sites known to be malicious.
For a simpler and safer browsing experience, pin your most important sites today. Thanks!
—Eric Lawrence, Senior Program Manager Lead, Internet Explorer
Comments
Anonymous
March 11, 2011
I wonder whether IE-next will allow the use of site-specific menus without pinning the sites. areweprettyyet.com/.../desktopAppsAnonymous
March 11, 2011
=/kick a todos/::TAnonymous
March 11, 2011
I hadn't thought of pinning my sites as HTTPS, good tip, I have gone back and done that now.Anonymous
March 11, 2011
quote: "Third, Pinned Sites run without any add-on Toolbars and Browser Helper Objects" - seriously? none? - wow... way to #fail. How come this site/app works when I browse to it but if I pin it to my taskbar it doesn't work anymore. Is Microsoft paying our support call costs for IE9? - what a nightmare of bad design.Anonymous
March 11, 2011
@JM in that page you linked, the sites appear to be pinned as well though?Anonymous
March 11, 2011
The comment has been removedAnonymous
March 11, 2011
Let's face it: Add-ons for IE are dead in general! Silently killing support for add-ons for pinned sites means that in most future IE sessions, no add-ons will be active at all. IMO this is a very bad decicion that comes at a time where all other browsers beef up their add-on capabilities. The consequences are obvious: IE 9 will be only enough for users that don't need any add-ons. Experienced users will use other browsers. Even less add-ons for IE will be developed in the future.Anonymous
March 11, 2011
The comment has been removedAnonymous
March 11, 2011
@Riasat - a spellchecker is beyond easy to create, in fact they already have a few. The sad part is that Microsoft knows that IE desperately needs one but they refuse to add it. Just goes to show they don't care about the end user.Anonymous
March 11, 2011
In most future IE sessions? I'm not even using a single pinned site right now, much less pinning every single site I visit.Anonymous
March 11, 2011
Why don't you offer an option to force certain addons to load in pinned sites? I need a spellchecker when I write in English, and Speckie looks like it does the trick, but that means I'll never use pinned sites...Anonymous
March 11, 2011
So the fact that no addons can run with pinned sites is not a bug .but a feature. This makes pinned sites mode much less appealingAnonymous
March 12, 2011
Where does it say that pinned sites can't use add-ons? It only mentions toolbars and browser help objects can't be used,Anonymous
March 12, 2011
The comment has been removedAnonymous
March 12, 2011
<fiction>Typical support incident from the Bing toolbar team, summer of 2011: User: Hello, I'm using the Bing toolbar to always have my Facebook at hand, which is fantastic, by the way. However, the toolbar sometimes just disappears when I open IE. Sometimes it's there, sometimes not. I've even reinstalled IE9, to no avail. Is this a known bug with the Bing toolbar? Support: Sigh Are you starting IE from the taskbar? User: Yes. And it sometimes works and sometimes not. Support: Does the toolbar appear when you start the browser by clicking the blue E on the taskbar? On the contrary, is it hidden when you start the browser by clicking a site you pinned to the taskbar? User: Could be. But it's a bug with the Bing toolbar then, obviously. Support: No, that's how IE9 behaves. User: Really? But why? I always want to see my Facebook, which is the easiest for me using the Bing toolbar. I just added a page to the taskbar to have quick access. Why wouldn't I want my toolbar then? Support: That's a good question. User: So what can I do? Is there an option or something? Can I re-enable the Bing toolbar, maybe on the View menu? Support: Not when you start the browser using the pinned site button on the taskbar. User: But why didn't IE even inform me about that? The toolbar just disappeared, which is very confusing. Support: That's a good question. </fiction> Dear IE team: Why did you do this? It's great that sites shine with IE9. But, we're still using IE9 on Windows, which stands for flexibility, functionality, and extensibility. This is not Safari on the iPad. This is IE on my PC. And the PC, which connects all my data and programs, including IE, still matters, not just the site. This is not IE on a terminal (or Chrome OS). This is my powerful Windows PC, and IE should honor that. It should respect that I want certain add-ons, to be specific.Anonymous
March 12, 2011
someone find bug in ie9. ticore.blogspot.com/.../ie9-null-character-bug.htmlAnonymous
March 12, 2011
Someone found the bug in ie9. ticore.blogspot.com/.../ie9-null-character-bug.htmlAnonymous
March 12, 2011
@J, I checked it and IE9 didn't throw page-crashing error but started never-ending loading with blank screen. Isn't it the correct behavior? Because I have checked it under FF4RC and IE9RC, both gets in trouble with document.writeln('u0000'). Please check out, connect.microsoft.com/.../622786, this guy reported the other issue about special characters and it get resolved. Now, goto the test case link he mentioned (end-of-file.net/.../spc-check.html) and try any of the character in document.writeln from the list. You will find the same behavior. u0000 is a null character and similarly the other characters are also non-printable ones. If you know any better expected result, I suggest you file this bug at connect.microsoft.com , otherwise apparently it doesn't qualify as a bug. If the page crashing persists on your machine, try deleting all the cookies/chache etc and try again. If it still persist, goto Internet Options > Advanced > click "Reset" this will make your IE9RC brand-new. Now, try the case the page shouldn't get crashed. I reproduced it without crashing but loading forever. Same goes for FF4RC. Cheers.Anonymous
March 12, 2011
All these seem like a silly excuse to use pinned sites as you can do the same thing by creating bookmarks (Favorites) to secure pages or by launching IE in No Add-ons mode when accessing sensitive sites or by clearing your cookies/cache before going to such sites. As to reducing attack surface, better to avoid installing unneeded toolbars or Add-ons (or other software) to begin with, although regardless running in No Add-ons mode still has great value. As to the last statement regarding security technologies/features, IE8 also has the green bar (Extended Validation) and SmartScreen Filter. So again, I don’t see much value in using pinned sites. Frankly, I hate the feature and wish I could revert Win7 to a true classic mode overall, taskbar and all. Thus, the similar UI redesigns of IE9 equals FAIL!Anonymous
March 13, 2011
What kind of fingers stuck in your ears singing La La La is going on in Redmond to come up with the idea that Pinned Sites should behave completely differently than the browser normally does. How fast can you pull the release for 9pm PST Monday and get a new one up that doesn't do this ridiculous garbage?!?! Or are you going to ship the broken version first and then rush out the first patch to fix this? (PS for a Public Relations perspective this will be a major setback as it will look like a security failure if you release the patch afterward... I'd opt for the quick new release in the next 26 hours! Get on it quick!) Wow, unbelievably Epic Usability Fail.Anonymous
March 13, 2011
What kind of fingers stuck in your ears singing La La La is going on in Redmond to come up with the idea that Pinned Sites should behave completely differently than the browser normally does. How fast can you pull the release for 9pm PST Monday and get a new one up that doesn't do this ridiculous garbage?!?! Or are you going to ship the broken version first and then rush out the first patch to fix this? (PS for a Public Relations perspective this will be a major setback as it will look like a security failure if you release the patch afterward... I'd opt for the quick new release in the next 26 hours! Get on it quick!) Wow, unbelievably Epic Usability Fail. Don't forget that toolbars and in particular BHO's are used for printing and interacting with external devices. This means Pinned Sites (that would normally be handy) will actually break a whole bunch of corporate enterprise applications.Anonymous
March 14, 2011
The comment has been removedAnonymous
March 14, 2011
The comment has been removedAnonymous
March 15, 2011
"Pinned Sites run without any add-on Toolbars and Browser Helper Objects, helping to reduce the attack surface of your browser. With less code running, malicious or infected sites have fewer targets for their attacks." Initial user reports as well as our own testing indicate that our RoboForm toolbar (which is fully compliant and featured on the IE Add-ons section) will not run with Pinned Sites. I understand you are doing this for security reasons, however it's kind of like throwing the baby out with the bathwater when legitimate useful add-ons with millions of users like RoboForm are not allowed to run. Please re-consider.Anonymous
March 16, 2011
As a user of the Roboform password manager, I have to agree with Simon. Roboform allows me to use very strong passwords that are different for each site I log into without having to memorize or write them down. I think that you should make a short list of useful add-ons that will run from a pinned site. The authors of the add-ons could go through an application process that would verify that they are legitimate and you could use security certificates to keep the authorized add-ons from being spoofed by malware.Anonymous
March 16, 2011
The comment has been removedAnonymous
March 16, 2011
The concept behind pinned sites is great, but MS ruined it by locking out the add-ons. Passwords, Spell Check, addblocker.............etc. Dumb move.Anonymous
March 16, 2011
The comment has been removedAnonymous
March 17, 2011
Yeah, I could go on, but why? I concur with everyone else. Way to trash a promising feature. At LEAST give us the option to bypass this restriction. Spell check? Not a chance. WOT? Nope. 3rd party site filtering? Nada.Anonymous
March 20, 2011
Hey MS please fix the bug of site icons are not displayed for users behind proxy server, which makes pinned sites feature unusable. I like IE9 but this feautre bug is fending me off from using itAnonymous
March 21, 2011
As a user of the Roboform password manager, I am now unable to use Roboform with IE 9, a better option would be to allow the end user to enable certain add-ons of their choice, to allow the toolbar to launch.Anonymous
March 23, 2011
I agree with the earlier posters. Several excellent addons like Lastpass do not work in Pinned Sites, which makes the IE 9 feature much less useful.Anonymous
March 25, 2015
I also use RoboForm. In IE when I want to save a link to the webpage I drag its icon out of IE to my desktop. This causes the RoboForm toolbar to disappear. If I click on View, Toolbars, RoboForm and other non-IE toolbars aren't listed. I've locked the toolbars but I still lose them. If I use IE's gear, select Manage Add-ons, RoboForm is still listed as enabled. I too think that I should be able to override the automatic removal so RoboForm and Acrobat stay.