SSL Certificates

Geffers

Linux enthusiast
Joined
1 Jul 2021
Messages
421 (0.39/day)
When I do online financial transactions I usually check the https padlock. Click on it at it tells you connection is secure (assuming it is), more info gives gives the Certificate Authority. Even more information enables the certificate to be viewed.

Now a whole host of info becomes available, sha256 and sha-1 fingerprints, subject and authority key IDs.

Without getting paranoid (maybe am already) what can one further check with this data? I use sha256 to verify certain download images but absolutely no idea what the sha fingerprints are and how of if they can be checked.

Any suggestions appreciated.

Geffers
Just coz I am paraoid don't mean they are not out to get me
 

Retro

Founder
Staff Member
Joined
4 Jun 2021
Messages
4,949 (4.44/day)
This is a very good and justifiably paranoid question. I'll give you a full reply later when I get a moment.
 

Geffers

Linux enthusiast
Joined
1 Jul 2021
Messages
421 (0.39/day)
Retro, you mentioned a web site for checking ssl certificates. https://www.grc.com/fingerprints.htm

Tried two bank sites and on both reported that it gave up after 10 seconds.

Geffers
Further to my comment, cahoot (Santander) I get a fingerprint but smile (co-op) it keeps throwing up an error.

On reflection, does this site prove anything? It seems it is merely reading the fingerprint off the certificate which one can do anyway by clicking the padlock then more info,

Geffers
 
Last edited:

Retro

Founder
Staff Member
Joined
4 Jun 2021
Messages
4,949 (4.44/day)
Yes, that GRC page gives the fingerprints of a few well known sites to detect a man in the middle attack that we were talking about.

The public / private key pair that generates the SSL cert cannot be easily replicated (the core of public / private key cryptography), hence the SSL fingerprint will change if an MITM attack is happening. Knowing the correct value beforehand is the only way to know that comms aren't being intercepted. Seeing the padlock isn't enough! Check those examples on grc against what you're browser shows and you should see that they match.
 

Geffers

Linux enthusiast
Joined
1 Jul 2021
Messages
421 (0.39/day)
Yes, that GRC page gives the fingerprints of a few well known sites to detect a man in the middle attack that we were talking about.

The public / private key pair that generates the SSL cert cannot be easily replicated (the core of public / private key cryptography), hence the SSL fingerprint will change if an MITM attack is happening. Knowing the correct value beforehand is the only way to know that comms aren't being intercepted. Seeing the padlock isn't enough! Check those examples on grc against what you're browser shows and you should see that they match.
There is a text bar below the examples which allows one to enter your own URL. I tried two banks, one gives fingerprint, the other keeps giving errors, tried various URLs associated with same domain name but all throw up an error.

Geffers
 

Retro

Founder
Staff Member
Joined
4 Jun 2021
Messages
4,949 (4.44/day)
Those errors are odd. I can have a quick look if you like, see what I can figure out? If those links are a bit confidential, then you can pm them to me, perhaps?
 

Geffers

Linux enthusiast
Joined
1 Jul 2021
Messages
421 (0.39/day)
Further to my mention of smile bank (aka Co-op) not appearing to work a domain I use for practice purposes does not show on Gibson's site either.

https://xr850.online ..
https://casper.xr850.online ..(Retro will like this one)

Both have a LetsEncrypt certificate, neither show on Gibson's site.

Geffers
 

Retro

Founder
Staff Member
Joined
4 Jun 2021
Messages
4,949 (4.44/day)
https://casper.xr850.online ..(Retro will like this one)
Yeah, yer right. Meow! ❤️

I think the error may be happening because of a site redirect - do you have it on that domain? I get the same error with nerdzone.uk and there's a site redirect there that's from the site hosting. Therefore, grc is technically right, because the original URL that one enters into the browser doesn't have an SSL cert as it immediatey redirects. If I try xenforo.com, the home of the software that underpins this site, then that does return a fingerprint since there's no redirect on that.
 

Retro

Founder
Staff Member
Joined
4 Jun 2021
Messages
4,949 (4.44/day)
Interestingly, letsencrypt.org generates this error too and of course, has a Let's Encrypt cert. It's like microsoft.com having a Microsoft cert. We have to take them on trust they are who they say they are since they're cert signing authorities. microsoft.com doesn't generate the grc error.
 

Retro

Founder
Staff Member
Joined
4 Jun 2021
Messages
4,949 (4.44/day)
Do you have a redirect on your xr850.online domain?

Just put the URLs into that field:

letsencrypt.org
microsoft.com
 

Geffers

Linux enthusiast
Joined
1 Jul 2021
Messages
421 (0.39/day)
No redirects, my domain and I set the DNS settings.

Misunderstood, thought the way you explained it that microsoft and letsencrypt had their own methods of checking fingerprints.

Geffers
 
Back
Top Bottom