March 11th, 2011
The Pinned Sites feature introduced in IE9 Beta is a great way to integrate your favorite sites into the Windows 7 user experience. Better still, there are five significant security benefits in creating and using Pinned Sites for secure applications like online banking.
First, when you pin a site you trust to your taskbar, and get in the habit of using that pinned icon to launch your secure experience, you can avoid clicking on links in emails, reducing the likelihood of a phishing attack luring you to a phony site. This “secure launch” behavior also helps reduce the possibility of a typo in the address bar sending you to the wrong site.
Second, Pinned Sites run in their own browser session, independent of the desktop browser. That means that the session cookies set by sites running in a Pinned Browser instance aren’t available for potential abuse by tabs running in your regular IE browser windows.
Third, Pinned Sites run without any add-on Toolbars and Browser Helper Objects, helping to reduce the attack surface of your browser. With less code running, malicious or infected sites have fewer targets for their attacks.
Fourth, when you pin a HTTPS site to your taskbar, you can avoid insecure HTTP to HTTPS redirections. For instance, if you type bank.example.com into your address bar, the first request sent out to the network is destined for http://bank.example.com, using the insecure HTTP protocol. Under normal circumstances, that site will immediately send you a redirect to the https://bank.example.com site. However, if you use the HTTP protocol from an unsecured network (say, your local coffee shop), an attacker on the wire can intercept that insecure request and send you to his phishing site instead of your real banking site.
Only careful examination of the URL in the address bar and verification of the HTTPS Lock icon’s certificate information will allow you to detect a man-in-the-middle attack like this. However, when you pin https://bank.example.com to your taskbar when you launch your pinned banking application, the very first request is already using the HTTPS protocol, helping to prevent the man-in-the-middle from intercepting and redirecting your traffic to a malicious site.
Fifth, when you pin an HTTPS site to your taskbar, you are better protected from man-in-the-middle attacks that target the HTTPS protocol. Specifically, if there is any problem with the security certificate presented when your browser contacts the Web site, the connection is immediately and securely terminated.
For instance, here’s a screenshot showing what you would see if you tried to visit your banking site when an attacker is using an attack tool to attempt to fool your browser with a phony security certificate:
As you can see, no unsafe options are presented that would allow you to “click through” and compromise the security of your personal information.
Of course, Pinned Sites also benefit from the many security technologies and features found in the regular Internet Explorer 9 browser. You’ll see the green address bar when visiting sites that present an Extended Validation certificate and the SmartScreen Filter will help block navigation to and downloads from sites known to be malicious.
For a simpler and safer browsing experience, pin your most important sites today. Thanks!
—Eric Lawrence, Senior Program Manager Lead, Internet Explorer