Plugin for EmetRules: Now, easier to use

lunes, 14 de diciembre de 2015

EmetRules is a simple tool we created two years ago. Not meant to change the world, it was a first incursion in certificate pinning universe, and intended to ease one of the harder-to-use-features of EMET: pinning. We have developed now an easy plugin for Internet Explorer that uses EmetRules, so pinning with EMET is easier than ever. Let’s see how it works.

Internet Explorer is one the only (main) browser not supporting HPKP yet. In fact, is the browser with fewer options to pin certificates in general. EMET included a few versions ago a feature for pinning, but it was indeed complicated and tricky to use. So we created a simple tool called EmetRules to pin lots of domains at once.

EmetRules counts with some fans. So we have created a very simple plugin for calling EmetRules from the browser itself, so it is even easier to pin a domain. Just visit it, and click a button. The domain will go to EMET configuration and will be pinned there

EmetRules itself has been updated to support being called directly from Internet Explorer, just adding a new option. To better explain it, a few screenshots of how it works:
  • Visit the domain you want to pin with Internet Explorer.

Visit the domain you want to pin
  • Click on the icon in the bar, or right click somewhere on the webpage and "Pin with EmetRules"
Use the icon or the entry in the right click menu
  • The first time you use it, a warning signal will appear. It is ok as long as the program is signed by us. This means the operative system is telling you an external program is being called from somewhere inside a web and wants to go out from the protected mode (is going to be launched in medium integrity level instead of low).
Warning about executing a file from the browser
Now it on depends on the "traditional" EmetRules. A command window will be launched, it will fetch the certificate for you, build an XML file and feed EMET.
  • If you are an "admin and not an admin" (you are using UAC), an UAC dialog will prompt, since inserting domains in EMET needs administrator privileges.
  • If everything is ok, the domain will appear in EMET pinning panel.
The domain is finally pinned in EMET

If you want to modify default settings, just modify the html file (JavaScript) in the installation directory.

 Hope you enjoy it. The new version may be downloaded from here.

No hay comentarios:

Publicar un comentario en la entrada