Internet Explorer 9 Security Part 3: Browse More Securely with Pinned Sites


The Pinned Sites feature introduced in IE9 Beta is a great way to integrate your favorite sites into the Windows 7 user experience. Better still, there are five significant security benefits in creating and using Pinned Sites for secure applications like online banking.

First, when you pin a site you trust to your taskbar, and get in the habit of using that pinned icon to launch your secure experience, you can avoid clicking on links in emails, reducing the likelihood of a phishing attack luring you to a phony site. This “secure launch” behavior also helps reduce the possibility of a typo in the address bar sending you to the wrong site.

Second, Pinned Sites run in their own browser session, independent of the desktop browser. That means that the session cookies set by sites running in a Pinned Browser instance aren’t available for potential abuse by tabs running in your regular IE browser windows.

Third, Pinned Sites run without any add-on Toolbars and Browser Helper Objects, helping to reduce the attack surface of your browser. With less code running, malicious or infected sites have fewer targets for their attacks.

Fourth, when you pin a HTTPS site to your taskbar, you can avoid insecure HTTP to HTTPS redirections. For instance, if you type bank.example.com into your address bar, the first request sent out to the network is destined for http://bank.example.com, using the insecure HTTP protocol. Under normal circumstances, that site will immediately send you a redirect to the https://bank.example.com site. However, if you use the HTTP protocol from an unsecured network (say, your local coffee shop), an attacker on the wire can intercept that insecure request and send you to his phishing site instead of your real banking site.

Only careful examination of the URL in the address bar and verification of the HTTPS Lock icon’s certificate information will allow you to detect a man-in-the-middle attack like this. However, when you pin https://bank.example.com to your taskbar, when you launch your pinned banking application, the very first request is already using the HTTPS protocol, helping to prevent the man-in-the-middle from intercepting and redirecting your traffic to a malicious site.

Fifth, when you pin a HTTPS site to your taskbar, you are better protected from man-in-the-middle attacks that target the HTTPS protocol. Specifically, if there is any problem with the security certificate presented when your browser contacts the Web site, the connection is immediately and securely terminated.

For instance, here’s a screenshot showing what you would see if you tried to visit your banking site when an attacker is using an attack tool to attempt to fool your browser with a phony security certificate:

Screen shot showing IE9's bad certificate alert

As you can see, no unsafe options are presented that would allow you to “click through” and compromise the security of your personal information.

Of course, Pinned Sites also benefit from the many security technologies and features found in the regular Internet Explorer 9 browser. You’ll see the green address bar when visiting sites that present an Extended Validation certificate and the SmartScreen Filter will help block navigation to and downloads from sites known to be malicious.

For a simpler and safer browsing experience, pin your most important sites today. Thanks!

—Eric Lawrence, Senior Program Manager Lead, Internet Explorer

Comments (33)

  1. JM says:

    I wonder whether IE-next will allow the use of site-specific menus without pinning the sites. areweprettyyet.com/…/desktopApps

  2. jans says:

    =/kick a todos/::T

  3. Good Idea says:

    I hadn't thought of pinning my sites as HTTPS, good tip, I have gone back and done that now.

  4. Gordon says:

    quote: "Third, Pinned Sites run without any add-on Toolbars and Browser Helper Objects" – seriously? none? – wow… way to #fail.  How come this site/app works when I browse to it but if I pin it to my taskbar it doesn't work anymore.

    Is Microsoft paying our support call costs for IE9? – what a nightmare of bad design.

  5. John says:

    @JM in that page you linked, the sites appear to be pinned as well though?

  6. John says:

    @Gordon, your website relies on IE toolbars to work? THAT sounds like a nightmare of bad design to me. Addons like flash still work fine in pinned sites.

  7. IE needs a spellchecker! says:

    Let's face it: Add-ons for IE are dead in general! Silently killing support for add-ons for pinned sites means that in most future IE sessions, no add-ons will be active at all. IMO this is a very bad decicion that comes at a time where all other browsers beef up their add-on capabilities.

    The consequences are obvious: IE 9 will be only enough for users that don't need any add-ons. Experienced users will use other browsers. Even less add-ons for IE will be developed in the future.

  8. CvP says:

    They said spellchecker is a great suggestion but wont make it in to IE9. So no use bitching about it..

  9. Andy says:

    @Riasat – a spellchecker is beyond easy to create, in fact they already have a few.  The sad part is that Microsoft knows that IE desperately needs one but they refuse to add it.  Just goes to show they don't care about the end user.

  10. Prior Semblance says:

    In most future IE sessions?  I'm not even using a single pinned site right now, much less pinning every single site I visit.

  11. Aethec says:

    Why don't you offer an option to force certain addons to load in pinned sites? I need a spellchecker when I write in English, and Speckie looks like it does the trick, but that means I'll never use pinned sites…

  12. gawicks says:

    So the fact that no addons can run with pinned sites is not a bug .but a feature.

    This makes pinned sites mode much less appealing

  13. Mark says:

    Where does it say that pinned sites can't use add-ons? It only mentions toolbars and browser help objects can't be used,

  14. IEUser says:

    @Mark: In reality, "add-ons" in IE mean browser helper objects and toolbars. They are the only means for extending IE in a powerful way. Accelerators are no real add-ons because their scope is just the current selection on a page.

    @John: Flash is a plug-in, not an add-on.

  15. It's a feature, not a bug! says:

    <fiction>Typical support incident from the Bing toolbar team, summer of 2011:

    User: Hello, I'm using the Bing toolbar to always have my Facebook at hand, which is fantastic, by the way. However, the toolbar sometimes just disappears when I open IE. Sometimes it's there, sometimes not. I've even reinstalled IE9, to no avail. Is this a known bug with the Bing toolbar?

    Support: *Sigh* Are you starting IE from the taskbar?

    User: Yes. And it sometimes works and sometimes not.

    Support: Does the toolbar appear when you start the browser by clicking the blue E on the taskbar? On the contrary, is it hidden when you start the browser by clicking a site you pinned to the taskbar?

    User: Could be. But it's a bug with the Bing toolbar then, obviously.

    Support: No, that's how IE9 behaves.

    User: Really? But why? I always want to see my Facebook, which is the easiest for me using the Bing toolbar. I just added a page to the taskbar to have quick access. Why wouldn't I want my toolbar then?

    Support: That's a good question.

    User: So what can I do? Is there an option or something? Can I re-enable the Bing toolbar, maybe on the View menu?

    Support: Not when you start the browser using the pinned site button on the taskbar.

    User: But why didn't IE even inform me about that? The toolbar just disappeared, which is very confusing.

    Support: That's a good question.

    </fiction>

    Dear IE team: Why did you do this? It's great that sites shine with IE9. But, we're still using IE9 on Windows, which stands for flexibility, functionality, and extensibility. This is not Safari on the iPad. This is IE on *my* PC. And the PC, which connects all my data and programs, including IE, still matters, not just the site. This is not IE on a terminal (or Chrome OS). This is my powerful Windows PC, and IE should honor that. It should respect that I want certain add-ons, to be specific.

  16. DanglingPointer says:

    @J, I checked it and IE9 didn't throw page-crashing error but started never-ending loading with blank screen. Isn't it the correct behavior? Because I have checked it under FF4RC and IE9RC, both gets in trouble with document.writeln('u0000'). Please check out, connect.microsoft.com/…/622786, this guy reported the other issue about special characters and it get resolved. Now, goto the test case link he mentioned (end-of-file.net/…/spc-check.html) and try any of the character in document.writeln from the list. You will find the same behavior. u0000 is a null character and similarly the other characters are also non-printable ones. If you know any better expected result, I suggest you file this bug at connect.microsoft.com , otherwise apparently it doesn't qualify as a bug.

    If the page crashing persists on your machine, try deleting all the cookies/chache etc and try again. If it still persist, goto Internet Options > Advanced > click "Reset" this will make your IE9RC brand-new. Now, try the case the page shouldn't get crashed. I reproduced it without crashing but loading forever. Same goes for FF4RC. Cheers.

  17. TJ says:

    All these seem like a silly excuse to use pinned sites as you can do the same thing by creating bookmarks (Favorites) to secure pages or by launching IE in No Add-ons mode when accessing sensitive sites or by clearing your cookies/cache before going to such sites. As to reducing attack surface, better to avoid installing unneeded toolbars or Add-ons (or other software) to begin with, although regardless running in No Add-ons mode still has great value. As to the last statement regarding security technologies/features, IE8 also has the green bar (Extended Validation) and SmartScreen Filter. So again, I don’t see much value in using pinned sites. Frankly, I hate the feature and wish I could revert Win7 to a true classic mode overall, taskbar and all. Thus, the similar UI redesigns of IE9 equals FAIL!

  18. pinned site fail says:

    What kind of fingers stuck in your ears singing La La La is going on in Redmond to come up with the idea that Pinned Sites should behave completely differently than the browser normally does.

    How fast can you pull the release for 9pm PST Monday and get a new one up that doesn't do this ridiculous garbage?!?!

    Or are you going to ship the broken version first and then rush out the first patch to fix this? (PS for a Public Relations perspective this will be a major setback as it will look like a security failure if you release the patch afterward… I'd opt for the quick new release in the next 26 hours! Get on it quick!)

    Wow, unbelievably Epic Usability Fail.

  19. pinned site fail says:

    What kind of fingers stuck in your ears singing La La La is going on in Redmond to come up with the idea that Pinned Sites should behave completely differently than the browser normally does.

    How fast can you pull the release for 9pm PST Monday and get a new one up that doesn't do this ridiculous garbage?!?!

    Or are you going to ship the broken version first and then rush out the first patch to fix this? (PS for a Public Relations perspective this will be a major setback as it will look like a security failure if you release the patch afterward… I'd opt for the quick new release in the next 26 hours! Get on it quick!)

    Wow, unbelievably Epic Usability Fail.

    Don't forget that toolbars and in particular BHO's are used for printing and interacting with external devices.  This means Pinned Sites (that would normally be handy) will actually break a whole bunch of corporate enterprise applications.

  20. Vincent says:

    Microsoft/Eric Lawrence can you please clarify which items will NOT run in a pinned site?

    E.g. if my site makes use of an ActiveX add-on to enhance printing abilities or render special charts etc. will that fail to run as a pinned site?  I'm not familiar with which addons in IE are which.  e.g. are the Toolbars always actual physical toolbars? or can they be invisible components that just use the toolbar as a hook to add functionality?

    Similarly the BHO (Browser Helper Object) – are they some special fileName.bho files or are they the ActiveX components? it isn't clear.

    Can you spell out explicitly which things will not run as a pinned site by default and how users can re-enable them (e.g. what are the exact steps)

    thanks

  21. SnarkMaiden says:

    things that work in a pinned site: accelerators, Check Spelling for my spelling checker addon, Flash, Send to OneNote, Silverlight… there is a better explanation in a previous post from the IE team.

  22. SimonSiberSystems says:

    "Pinned Sites run without any add-on Toolbars and Browser Helper Objects, helping to reduce the attack surface of your browser. With less code running, malicious or infected sites have fewer targets for their attacks." Initial user reports as well as our own testing indicate that our RoboForm toolbar (which is fully compliant and featured on the IE Add-ons section) will not run with Pinned Sites. I understand you are doing this for security reasons, however it's kind of like throwing the baby out with the bathwater when legitimate useful add-ons with millions of users like RoboForm are not allowed to run. Please re-consider.

  23. Chipster says:

    As a user of the Roboform password manager, I have to agree with Simon. Roboform allows me to use very strong passwords that are different for each site I log into without having to memorize or write them down. I think that you should make a short list of useful add-ons that will run from a pinned site. The authors of the add-ons could go through an application process that would verify that they are legitimate and you could use security certificates to keep the authorized add-ons from being spoofed by malware.

  24. Wes says:

    Thought your pinned site to taskbar was a good feature until I found you have purposed locked add-ons out.   I use high security encrpted passwords for many of my sites so this means I will never be able to use this feature.   Thank you  "Big Brother"   a better option would be to allow the user to enable certain add-ons  of their choice.

  25. Frank Jr. says:

    The concept behind pinned sites is great, but MS ruined it by locking out the add-ons. Passwords, Spell Check, addblocker………….etc. Dumb move.

  26. Frank Jr. says:

    Something I forgot to mention is that looping radar from the National Weather Service does not work with IE 9. And yes I have the latest updates from java.

  27. Sad IE9 User says:

    Yeah, I could go on, but why?  I concur with everyone else.  Way to trash a promising feature.  At LEAST give us the option to bypass this restriction.  Spell check?  Not a chance.  WOT? Nope.  3rd party site filtering?  Nada.

  28. Harish says:

    Hey MS please fix the bug of site icons are not displayed for users behind proxy server, which makes pinned sites feature unusable. I like IE9 but this feautre bug is fending me off from using it

  29. Jean-Michel says:

    As a user of the Roboform password manager, I am now unable to use Roboform with IE 9, a better option would be to allow the end user to enable certain add-ons  of their choice, to allow the toolbar to launch.

  30. Ian says:

    I agree with the earlier posters. Several excellent addons like Lastpass do not work in Pinned Sites, which makes the IE 9 feature much less useful.

  31. Ray says:

    I also use RoboForm. In IE when I want to save a link to the webpage I drag its icon out of IE to my desktop. This causes the RoboForm toolbar to disappear. If I click on View, Toolbars, RoboForm and other non-IE toolbars aren't listed. I've locked the toolbars but I still lose them. If I use IE's gear, select Manage Add-ons, RoboForm is still listed as enabled.

    I too think that I should be able to override the automatic removal so RoboForm and Acrobat stay.