Internet Explorer 9 Security

[funkydude]

Internet Explorer 9 Security Part 1: Enhanced Memory Protections

Quote:

Internet Explorer offers layered defenses to protect against and mitigate each of three major classes of threats that browser users face when surfing the sometimes-hostile Web:

• Technological attacks designed to exploit the browser or operating system
• Web attacks designed to exploit vulnerabilities in Web sites
• Social engineering attacks against the user’s trust

Today’s post covers how browsers’ memory protections mitigate threats in the first class.

http://blogs.msdn.com/b/ie/archive/2...otections.aspx

[funkydude]

Internet Explorer 9 Security Part 2: Protection from Socially Engineered Attacks

Quote:

For Internet Explorer 9, we took a hard look at the download landscape and found that the download space was fairly well defined for most users. We began researching methods of building intelligence systems that could distinguish between reputable downloads (whether a specific file or digital signature) and those that were more likely to be malicious. The end result was SmartScreen Application Reputation that is now part of the IE9 download experience.

http://blogs.msdn.com/b/ie/archive/2...d-attacks.aspx

[Dermot7]

Part 3:
https://blogs.msdn.com/b/ie/archive/...ned-sites.aspx

[m00nbl00d]

I haven't read part 1 and 2, but I took a look at parte 3, and I wonder about the third reason for the Pinned Sites feature.

Quote:

Pinned Sites run without any add-on Toolbars and Browser Helper Objects, helping to reduce the attack surface of your browser. With less code running, malicious or infected sites have fewer targets for their attacks.

While that's all very good, won't that kill user experience?

The fourth reason is interesting:

Quote:

when you pin a HTTPS site to your taskbar, you can avoid insecure HTTP to HTTPS redirections. For instance, if you type bank.example.com into your address bar, the first request sent out to the network is destined for -http://bank.example.com, using the insecure HTTP protocol. Under normal circumstances, that site will immediately send you a redirect to the -https://bank.example.com site. However, if you use the HTTP protocol from an unsecured network (say, your local coffee shop), an attacker on the wire can intercept that insecure request and send you to his phishing site instead of your real banking site.

What about people start typing down https instead of http? Would it work?

Not to mention how many pinned sites would people have in their taskbar for the sake of this security?

Let's see the Jane and Joe: One for facebook, one for twitter, one for myspace, one for youtube, one/more for game websites... Yeah...

[funkydude]

Quote:

Originally Posted by m00nbl00d

What about people start typing down https instead of http? Would it work?

Not sure I understand you, why wouldn't typing your bank address with https in the address bar work?

Quote:

Originally Posted by m00nbl00d

Not to mention how many pinned sites would people have in their taskbar for the sake of this security?

Hopefully no one adds pinned sites "for the sake of this security". Pinned sites aren't designed for security, they are designed for speed, security is a side-effect.

Quote:

Originally Posted by m00nbl00d

Let's see the Jane and Joe: One for facebook, one for twitter, one for myspace, one for youtube, one/more for game websites... Yeah...

Again, I miss what point you're trying to make here?

Short of being a separate/isolated session, pinned sites aren't anything special other than being an easier to access bookmark, and I doubt many people will get excited about them. I only use one for mail access, I don't want everything to be separate, I want it all in one window with tabs. Hence, it's not very useful.

[m00nbl00d]

Quote:

Originally Posted by funkydude

Not sure I understand you, why wouldn't typing your bank address with https in the address bar work?

I was being sarcastic. One can also have a shortcut pointing to the URL we wish, which in this case would be the bank's website, starting with https.

Quote:

Hopefully no one adds pinned sites "for the sake of this security". Pinned sites aren't designed for security, they are designed for speed, security is a side-effect.

Then, why is it part of "Internet Explorer 9 Security Part 3"?, where it is mentioned "Browse More Securely with Pinned Sites".

Clearly, they added this feature with security in mind, otherwise point 5 would make no sense:

Quote:

when you pin a HTTPS site to your taskbar, you are better protected from man-in-the-middle attacks that target the HTTPS protocol. Specifically, if there is any problem with the security certificate presented when your browser contacts the Web site, the connection is immediately and securely terminated.

Quote:

Again, I miss what point you're trying to make here?

Short of being a separate/isolated session, pinned sites aren't anything special other than being an easier to access bookmark, and I doubt many people will get excited about them. I only use one for mail access, I don't want everything to be separate, I want it all in one window with tabs. Hence, it's not very useful.

I was being sarcastic. But, imagine every IE9 user would start to pin websites to taskbar for the sake of security. It would become madness.

[safeguy]

I won't get into the Pinned Sites issue but "SmartScreen Application Reputation" kind of reminds me of Norton Insight. In any case, despite not being an IE fan, I like some of the progress MS has made so far with IE, especially when compared to it's predecessors.

[m00nbl00d]

Quote:

Originally Posted by safeguy

I won't get into the Pinned Sites issue but "SmartScreen Application Reputation" kind of reminds me of Norton Insight. In any case, despite not being an IE fan, I like some of the progress MS has made so far with IE, especially when compared to it's predecessors.

Absolutely. Microsoft did introduce improvements. One that I think could be redesigned is Protected Mode, so that it would be the browser itself applying it, rather than UAC, which many people disable.

Still, as you pointed, any improvement is a step in the right direction to fight the bad guys/girls.

[funkydude]

Sorry for missing the sarcasm m00nbl00d , but unlike part 1 and 2 which was serious and actually useful, it seems part 3 is not much short of marketing. I think only a low percentage of users would even use pinned sites.