The message EMET detected that the SSL certificate for *.facebook.com is not trusted is because the new Configure Certificate Trust – the FacebookCA rule is set to expire on 12/30/2021.
Updated 1 May 2021: You might also get Yahoo warnings as well because the Yahoo pinning rules are set to expire on 13 March 2021. Yahoo have also started to automatically use SSL (HTTPS) rather than plain HTTP on all their sites.
Facebook buttons and links are embedded in so many websites, that any user who has EMET 4.0 installed will get the alert when generally surfing the web. This alert does not mean in this particular case that there is a problem with Facebook or any hijack or divert is taking place. All this “EMET detected that the SSL certificate for *.facebook.com is not trusted” means is that the rule checking the certificates inside EMET has expired on 30 December 2021. It does not mean in this particular case that the Facebook SSL certificate has expired or that anybody is intercepting or diverting your secure SSL connection to Facebook.
Starting in EMET 4.0 there is a protection against SSL connection interceptions or diverts by Man in the middle attacks on a few of the most popular internet sites including Facebook.
Read this blog post that explains it in detail
SSL/TLS Certificate Trust features
EMET 4.0 allows users to configure a set of certificate pinning rules to validate digitally signed certificates (SSL/TLS certificates) while browsing with Internet Explorer. This option allows users to configure a set of rules able to match specific domains (through their SSL/TLS certificates) with the corresponding known Root Certificate Authority (RootCA) that issued the certificate. When EMET detects the variation of the issuing RootCA for a specific SSL certificate configured for a domain, it will report this anomaly as an indicator of a potential man-in-the-middle attack.
Advanced users can also add exceptions for each pinning rule. This will allow EMET to accept SSL/TLS certificates even if the pinning rule doesn’t match. Exceptions are related to some properties of the RootCA certificate, such as key size, hashing algorithm, and issuer country.
There are 3 cures to stop the EMET detected that the SSL certificate for *.facebook.com is not trusted alert message:
By far Cure 1 is the safest to do. All that option 2 does is delay the warning until the new date you set.
- Update EMET 4.0 to 4.1 by going to Microsoft EMET 4.1 download and download and install EMET 4.1. This installs over the top of EMET 4.0 and retains any specific rules and settings that you have configured yourself.
- Open up EMET 4.0, click on TRUST ( CONFIGURE CERTIFICATE TRUST) –> Click on the Pinning Rules Tab –> Under Rule Expiration for FacebookCA you can change the rule to expire next month or later and the message will go away. You can set it to when the YahooCA rule will expire on 3/13/2021 if you like and you won’t receive the message any longer. ( this just delays the warning for a further short period of time)
- Open up EMET 4.0, click on TRUST ( CONFIGURE CERTIFICATE TRUST) –> Click on the Protected Websites Tab –> Uncheck the box beside Facebook. ( this option is potentially unsafe, because it will remove the checking to see if your “secure” connection to Facebook has been tampered with )
It is hoped that Microsoft will build an auto updater for the rules inside EMET in a future version, so we don’t get alarming alerts like EMET detected that the SSL certificate for *.facebook.com is not trusted any longer. The whole idea of EMET is to protect you and alert you to potential dangers on your computer. Normally when you see EMET detected that the SSL certificate for *.facebook.com is not trusted, it would mean that somebody or something is interfering with or diverting your secure SSL connection to Facebook.
I sincerely hope that Microsoft issue a new rules update very quickly to avoid this happening again. If they don’t then in 3 months time on 13 March 2021 we will see the whole thing again with Yahoo, when those rules expire. The Yahoo rules expiry date is set to 13 March 2021 in the updated EMET 4.1 as well as on EMET 4.0
Update 1 May 2021: Microsoft have updated EMET 4.1 to EMET 4.1 Update 1 that fixes these minor bugs and added extra new functionality to EMET
You will also need to use this Microsoft Fixit to easily update the Pinning rules in EMET 4.1