EMET 4 popup about login.live.com
EMET 4.0 Beta detects that the SSL certificate for login.live.com is not trusted by the rule "MSTrustedCA" associated with the domain "login.live.com."
Is there legitimately a problem with login.live.com?! It seems to me that an authentication point for Microsoft services should not be having this kind of trouble. Or if it is that it should be publicized.
August 16th, 2013 11:24pm
I have experienced the same issue. Something wrong with Microsoft website certs?
August 21st, 2013 1:55am
EMET detected that the SSL certificate for "login.live.com" is not trusted by the rule "MSTrustedCA" associated with the domain "login.live.com"
August 27th, 2013 5:42pm
Same problem here with
www.facebook.com, FacebookCA and *.facebook.com.
December 30th, 2013 2:12pm
I notice that my Facebook Pinning Rule in Trusts expired today (30-Dec-2013)... perhaps you're getting the message for the same reason I am.
Scott
Seattle, WA, USA
- Proposed as answer by
n_d
Tuesday, December 31, 2013 2:26 PM
December 31st, 2013 3:52am
So I just extend the rule? Or do I need to check the certificate or CA?
There are 17 certificates pinned for Facebook.
If I have to manually check the thumbprint / expiry (there is no drill down) that is not very ple
December 31st, 2013 5:16pm
Yes, that was exactly the reason. Thanks, Scott! For now I extended the date to 3/1/14. Currently I'm not sure: Will Microsoft update Emet rules with Windows Update for the future, or do I have to update them manually from time to time?
December 31st, 2013 5:26pm
I don't have any idea when or how the EMET team updates this list. I hope there's an update (Windows Update?) soon. I'm not an EMET expert, but based on what I do know I'm a big fan of it, and it seems strange that the EMET team would allow this to happen
with no explanation and no good help available.
So... EMET Team... hook us up with some wisdom, please. :-)
January 2nd, 2014 4:25am
First: Please update your Beta to the latest version which is 4.1 now.
With Pinning rules that employ PublicKey Match this problem can still occur on the first time visit because the Windows Trusted Root Store has to be loaded with the Certificates before the rule works. You can avoid this by preloading machines with the CA certificates
being used in such rules.
January 7th, 2014 2:02pm