Internet Explorer is one the only (main) browser not supporting HPKP yet. In fact, is the browser with fewer options to pin certificates in general. EMET included a few versions ago a feature for pinning, but it was indeed complicated and tricky to use. So we created a simple tool called EmetRules to pin lots of domains at once.
EmetRules counts with some fans. So we have created a very simple plugin for calling EmetRules from the browser itself, so it is even easier to pin a domain. Just visit it, and click a button. The domain will go to EMET configuration and will be pinned there
EmetRules itself has been updated to support being called directly from Internet Explorer, just adding a new option. To better explain it, a few screenshots of how it works:
- Visit the domain you want to pin with Internet Explorer.
 |
| Visit the domain you want to pin |
- Click on the icon in the bar, or right click somewhere on the webpage and “Pin with EmetRules”
 |
| Use the icon or the entry in the right click menu |
- The first time you use it, a warning signal will appear. It is ok as long as the program is signed by us. This means the operative system is telling you an external program is being called from somewhere inside a web and wants to go out from the protected mode (is going to be launched in medium integrity level instead of low).
 |
| Warning about executing a file from the browser |
Now it on depends on the “traditional” EmetRules. A command window will be launched, it will fetch the certificate for you, build an XML file and feed EMET.
- If you are an “admin and not an admin” (you are using UAC), an UAC dialog will prompt, since inserting domains in EMET needs administrator privileges.
- If everything is ok, the domain will appear in EMET pinning panel.
 |
| The domain is finally pinned in EMET |
If you want to modify default settings, just modify the html file (JavaScript) in the installation directory.
Hope you enjoy it. The new version may be downloaded from here.
