New
#20
Going off on a bit of a tangent, but in addition to the above post, although the Ars Technica article says certificate pinning in Google Chrome will do nothing to alert users that something is amiss, IF you're techie minded and don't mind experimenting/reading up on headache inducing techie subjects, you could possibly use the Certificate Pinning feature in EMET 5.1 for the main websites that you care about logging into securely (If you use Internet Explorer). Details on Certificate Pinning can be found in the EMET User Guide (the 'Download' button HERE will give you the option to download the User Guide on it's own).
With EMET Certificate Pinning you can manually add (pin) a root certificate to be used for a particular website. For example, I could tell it to only allow VeriSign root certificate (Serial Number:18DAD19E267DE8BB4A2158CDCC6B3B4A) for signin.ebay.co.uk. Although EMET wouldn't prevent me from visiting and using signin.ebay.co.uk, if the certificate for that domain was signed by a different root certificate (such as Superfish), it should display a small notification in the bottom right corner of the screen telling me the root certificate is different to the one I specified.
As an example, for the purpose of this post, in the below screenshot I specified a different root certificate in EMET to the one that was actually used to sign the current signin.ebay.co.uk SSL certificate, and you can see the EMET warning in the bottom right notifying me of the certificate mismatch (which needs to be bigger really and a different colour, as it's too easy to miss on a big screen).
Obviously, if you're being MITM'd, before specifying which root certificate to pin you need a way to check a websites certificate to know what the correct certificate should actually be. One way to do this is Steve Gibson has a lookup on his website (https://www.grc.com/fingerprints.htm) that will show what the correct thumbprint for the website certificate should be. Bear in mind, these GRC thumbprints are for the website certificate, not the root certificate at the top of the tree which is what you actually specify in EMET. And also, as mentioned at the bottom of the GRC page, you still need to be vigilant because if the MITM is able to intercept your encrypted traffic, it could potentially also modify the GRC page contents. It's turtles all the way down... FYI, root certificate is shown in Certification Path tab.
Now, EMET Cert Pinning is way overkill and isn't something a normal user would do, as it's a manual process (which is a pain), you need to learn how to use it (which is a pain) and it also needs to be updated manually (which is a pain). Even I got fed up with manually updating it every time a certificate expired, so now-a-days I just set all the expiry dates to 2016. Therefore I only get notifications if the root certificate changes now. It's also not something that you can roll out to other users either because they'll just ignore the warning anyway. Now, if there was a way that Microsoft could automate certificate pinning in Windows 10 though, so that no user interaction is required...
Last edited by ARC1020; 22 Feb 2015 at 04:36.