none
EMET 5.2 certificate pinning does not work in Windows 10 RRS feed

  • Question

  • I cannot get EMET 5.2 certificate pinning to work in Windows 10.

    When I test EMET by pinning an incorrect Root CA certificate to the website, Windows 10 does not block website access like Windows 8.1 does.

    Has EMET certificate pinning been disabled in Windows 10 ? If so, has this functionality been superceded by a better technique ?

    I have searched high and low, and this anecdotal reference is the only thing I can find:

    "Windows 10 does not use certificate pinning, means someone can easily apply a man-in-the-middle-attack for each Microsoft cloud-access for example"

    http://www.z80.eu/blog/index.php?entry=entry150804-200247

    ..... Para Dox


    • Edited by Para Dox Sunday, September 13, 2015 1:02 AM
    Saturday, September 12, 2015 10:35 PM

All replies

  • I partially resolved the problem.

    I noticed 'Event ID: 42' registered in the Event Log:

    "EMET detected that the SSL certificate for "www.mybank.com.au" is not trusted by the rule "My Custom Rule-MybankCA" associated with the domain "www.mybank.com.au"

    I had not checked the EMET checkboxes for "PublicKey Match" and "Blocking Rule".

    However, even when I check these checkboxes, then test using an incorrect Root CA certificate, it still only blocks access to the website and records Event ID 42 using IE11, but not when using Edge, Firefox, or Chrome browsers.  This behavior is the same in both Windows 8.1  and Windows 10.

    Firefox and Chrome have the green light to indicate that they are running EMET. Edge does not have a green light even though it is configured to run EMET.

    Does anybody know how to get EMET certificate pinning to work using Edge, Firefox, or Chrome browsers ?

    .... Para Dox




    • Edited by Para Dox Tuesday, September 15, 2015 7:48 AM
    Tuesday, September 15, 2015 7:42 AM
  • See page 28 of the EMET User Guide. As far as I know, Firefox does not use the Microsoft API but Chrome does. 

    You're on your own with Edge.

    Wednesday, September 16, 2015 2:08 PM
  • I just configured the registry in both Windows 10 and Windows 8.1 as per those instructions .

    It still does not work for either Microsoft Edge, Firefox, or Chrome browsers.

    The EMET manual does say that the API support for 3rd party browsers is still experimental. I guess we will have to wait until the next EMET release for Edge support . Firefox and Chrome support .... anybody's guess.

    Wednesday, September 16, 2015 10:07 PM