Page 3 of 3 FirstFirst 123
  1.    19 Feb 2015 #21
    Join Date : Feb 2014
    Posts : 472

    Going off on a bit of a tangent, but in addition to the above post, although the Ars Technica article says certificate pinning in Google Chrome will do nothing to alert users that something is amiss, IF you're techie minded and don't mind experimenting/reading up on headache inducing techie subjects, you could possibly use the Certificate Pinning feature in EMET 5.1 for the main websites that you care about logging into securely (If you use Internet Explorer). Details on Certificate Pinning can be found in the EMET User Guide (the 'Download' button HERE will give you the option to download the User Guide on it's own).

    With EMET Certificate Pinning you can manually add (pin) a root certificate to be used for a particular website. For example, I could tell it to only allow VeriSign root certificate (Serial Number:18DAD19E267DE8BB4A2158CDCC6B3B4A) for Although EMET wouldn't prevent me from visiting and using, if the certificate for that domain was signed by a different root certificate (such as Superfish), it should display a small notification in the bottom right corner of the screen telling me the root certificate is different to the one I specified.

    As an example, for the purpose of this post, in the below screenshot I specified a different root certificate in EMET to the one that was actually used to sign the current SSL certificate, and you can see the EMET warning in the bottom right notifying me of the certificate mismatch (which needs to be bigger really and a different colour, as it's too easy to miss on a big screen).

    Click image for larger version. 

Name:	EMET-Cert-Warning.jpg 
Views:	75 
Size:	124.7 KB 
ID:	12948

    Obviously, if you're being MITM'd, before specifying which root certificate to pin you need a way to check a websites certificate to know what the correct certificate should actually be. One way to do this is Steve Gibson has a lookup on his website ( that will show what the correct thumbprint for the website certificate should be. Bear in mind, these GRC thumbprints are for the website certificate, not the root certificate at the top of the tree which is what you actually specify in EMET. And also, as mentioned at the bottom of the GRC page, you still need to be vigilant because if the MITM is able to intercept your encrypted traffic, it could potentially also modify the GRC page contents. It's turtles all the way down... FYI, root certificate is shown in Certification Path tab.

    Click image for larger version. 

Name:	Root.jpg 
Views:	212 
Size:	42.7 KB 
ID:	12949

    Now, EMET Cert Pinning is way overkill and isn't something a normal user would do, as it's a manual process (which is a pain), you need to learn how to use it (which is a pain) and it also needs to be updated manually (which is a pain). Even I got fed up with manually updating it every time a certificate expired, so now-a-days I just set all the expiry dates to 2016. Therefore I only get notifications if the root certificate changes now. It's also not something that you can roll out to other users either because they'll just ignore the warning anyway. Now, if there was a way that Microsoft could automate certificate pinning in Windows 10 though, so that no user interaction is required...
    Last edited by ARC1020; 22 Feb 2015 at 04:36.
      My System SpecsSystem Spec

  2.    19 Feb 2015 #22
    Join Date : Jan 2014
    Carencro, LA 70520
    Posts : 7,368
    Windows 10
      My System SpecsSystem Spec

  3.    20 Feb 2015 #23
    Join Date : Feb 2014
    Posts : 472

    It appears Microsoft have now added Superfish / Visual Disc​overy to Windows Defender definitions:


    Click image for larger version. 

Name:	Defender.jpg 
Views:	163 
Size:	60.6 KB 
ID:	12971
      My System SpecsSystem Spec

  4.    24 Feb 2015 #24
    Join Date : Jan 2014
    Walnut Beach, Milford, Ct
    Posts : 16,392
    Win10 Pro / Remix 3.0

    Lenovo is facing legal repercussions over the Superfish software.
    Lenovo hit by lawsuit over Superfish adware - CNET
      My System SpecsSystem Spec

  5.    25 Feb 2015 #25
    Join Date : Feb 2015
    Left coast but not a progressive liberal
    Posts : 964
    dual boot W10 10586th2/14291 rs1 Win. Insider since Jan. 2015

    I read (somewhere ) today or yesterday Lenovo is going to start emphasizing clean PC's *something kinda like Microsoft signature PC's in their marketing . ofc nothing beats a clean install on a new box ☺
      My System SpecsSystem Spec

  6.    27 Feb 2015 #26
    Join Date : Feb 2014
    Posts : 472

    It looks like from today Ten Forums have HTTPS throughout their site with an EV cert now. No idea who this 'Superfish' CA is though... I'm joking!!!

    Click image for larger version. 

Name:	Supafisssssh.jpg 
Views:	40 
Size:	226.5 KB 
ID:	13407
      My System SpecsSystem Spec

Page 3 of 3 FirstFirst 123

Similar Threads
Thread Forum
Update breaks Bluetooth.
Don't know if anyone else has suffered this problem, but an update earlier today (Toshiba RFBUS) has broken Bluetooth on my PC. Bluetooth is showing (without errors) in Device Manager but it does not work. A search for 'bluetooth settings' in Win...
Drivers and Hardware
Will Windows 10 Ship With Outlook?
I have read in a couple of different places that Windows 10 will ship with Outlook straight out of the box. If this is true, then there will be no incentive for me to buy Microsoft Office Professional. Does anybody know if this is true. ...
Software and Apps
1rst Try at Clean Install of 10122 breaks bootloader of Win 7
Have been dual booting Win 7 and Win 10 previews on two Samsung ssd's. I've had no problem with updating each build then extracting the Iso with ESD to Iso then doing a clean install until the switch from 10074 to 10122. Let it update on fast...
Installation and Setup
10061 No graphics, now black screen w/ cursor in middle @ startup
Hi I just installed build 10061 on my laptop, after creating an ISO from the ESD file downloaded in the update and using it to make a clean install, when it rebooted and I went through OOBE, i then obviously went to install drivers, but when...
Drivers and Hardware
Windows 10 Preview Won't Ship to Standard Users
Windows 10 News
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 01:50.
Find Us
Twitter Facebook Google+

Windows 10 Forums