Microsoft later this month will release a new version of its EMET protection tool, and this iteration will include a certificate pinning feature that will enable users to associate a specific certificate with a given certificate authority. The feature is designed a defense against man-in-the-middle attacks that use forged certificates to redirect users or intercept protected traffic.
EMET is a toolkit designed specifically to help prevent certain kinds of exploits from working on protected applications. For example, users can deploy EMET to get the advantages of DEP or ASLR in applications that were not compiled with those exploit mitigations enabled. The new version of EMET is due May 28 and is beta trim right now. The addition of certificate pinning is a significant one, although the feature only works by default when users are browsing with Internet Explorer.
Certificate pinning is a technique that can be used as a defense against attacks that take advantage of users’ trust in certificates and CAs, a trust that has been exploited many, many times in recent years. The compromises of Comodo, DigiNotar and other CAs have exposed the cracks in the CA infrastructure that have been there since its inception but rarely are noticed by anyone outside of the immediate vicinity. Attackers have discovered ways to issue fraudulent certificates to themselves for various important sites, notably Google, Mozilla, Yahoo and others.
Some of those attacks would not have been as damaging as they were if the users on the other end of the Web connection from the fake certificates had certificate pinning available. That defense would have allowed users to pin the Google SSL certificate to the Google Internet Authority, which issues the company’s legitimate certificates. EMET, which is meant as an enterprise tool, can help organizations fix that situation.
“EMET 4.0 comes with Certificate Trust enabled by default, including a set of pre-configured websites for the most common domains used by Microsoft online services; nevertheless, since we believe that certificate pinning is a useful tool to detect MITM attacks targeting any domain and not just Microsoft services, we designed Certificate Trust totally configurable, in order to allow any user to configure custom pinning rules that will be enforced when browsing the web with Internet Explorer,” Elia Florio of Microsoft wrote.
Read more: http://threatpost.com/microsoft-emet-4-0-enables-certificate-pinning-to-defeat-mitm-attacks/
