SSL Certificates

Geffers · 30 Apr 2024

When I do online financial transactions I usually check the https padlock. Click on it at it tells you connection is secure (assuming it is), more info gives gives the Certificate Authority. Even more information enables the certificate to be viewed.

Now a whole host of info becomes available, sha256 and sha-1 fingerprints, subject and authority key IDs.

Without getting paranoid (maybe am already) what can one further check with this data? I use sha256 to verify certain download images but absolutely no idea what the sha fingerprints are and how of if they can be checked.

Any suggestions appreciated.

Geffers
Just coz I am paraoid don't mean they are not out to get me

Retro · 30 Apr 2024

This is a very good and justifiably paranoid question. I'll give you a full reply later when I get a moment.

Geffers · 3 May 2024

Retro, you mentioned a web site for checking ssl certificates.

GRC | SSL TLS HTTPS Web Server Certificate Fingerprints

GRC's HTTPS Web Server Certificate Fingerprint Service

www.grc.com

Tried two bank sites and on both reported that it gave up after 10 seconds.

Geffers

Geffers · 4 May 2024

Geffers said:
Retro, you mentioned a web site for checking ssl certificates. https://www.grc.com/fingerprints.htm

Tried two bank sites and on both reported that it gave up after 10 seconds.

Geffers

Further to my comment, cahoot (Santander) I get a fingerprint but smile (co-op) it keeps throwing up an error.

On reflection, does this site prove anything? It seems it is merely reading the fingerprint off the certificate which one can do anyway by clicking the padlock then more info,

Geffers

Retro · 4 May 2024

Yes, that GRC page gives the fingerprints of a few well known sites to detect a man in the middle attack that we were talking about.

The public / private key pair that generates the SSL cert cannot be easily replicated (the core of public / private key cryptography), hence the SSL fingerprint will change if an MITM attack is happening. Knowing the correct value beforehand is the only way to know that comms aren't being intercepted. Seeing the padlock isn't enough! Check those examples on grc against what you're browser shows and you should see that they match.

Geffers · 4 May 2024

Retro said:
Yes, that GRC page gives the fingerprints of a few well known sites to detect a man in the middle attack that we were talking about.

The public / private key pair that generates the SSL cert cannot be easily replicated (the core of public / private key cryptography), hence the SSL fingerprint will change if an MITM attack is happening. Knowing the correct value beforehand is the only way to know that comms aren't being intercepted. Seeing the padlock isn't enough! Check those examples on grc against what you're browser shows and you should see that they match.

There is a text bar below the examples which allows one to enter your own URL. I tried two banks, one gives fingerprint, the other keeps giving errors, tried various URLs associated with same domain name but all throw up an error.

Geffers

Retro · 4 May 2024

Those errors are odd. I can have a quick look if you like, see what I can figure out? If those links are a bit confidential, then you can pm them to me, perhaps?

Geffers · 4 May 2024

Further to my mention of smile bank (aka Co-op) not appearing to work a domain I use for practice purposes does not show on Gibson's site either.

https://xr850.online ..
https://casper.xr850.online ..(Retro will like this one)

Both have a LetsEncrypt certificate, neither show on Gibson's site.

Geffers

Retro · 4 May 2024

Geffers said:
https://casper.xr850.online ..(Retro will like this one)

Yeah, yer right. Meow!

I think the error may be happening because of a site redirect - do you have it on that domain? I get the same error with nerdzone.uk and there's a site redirect there that's from the site hosting. Therefore, grc is technically right, because the original URL that one enters into the browser doesn't have an SSL cert as it immediatey redirects. If I try xenforo.com, the home of the software that underpins this site, then that does return a fingerprint since there's no redirect on that.

Retro · 4 May 2024

Interestingly, letsencrypt.org generates this error too and of course, has a Let's Encrypt cert. It's like microsoft.com having a Microsoft cert. We have to take them on trust they are who they say they are since they're cert signing authorities. microsoft.com doesn't generate the grc error.

Geffers · 4 May 2024

How do you check it on letsencrypt and Microsoft?

Geffers

Retro · 4 May 2024

Do you have a redirect on your xr850.online domain?

Just put the URLs into that field:

letsencrypt.org
microsoft.com

Geffers · 4 May 2024

No redirects, my domain and I set the DNS settings.

Misunderstood, thought the way you explained it that microsoft and letsencrypt had their own methods of checking fingerprints.

Geffers

SSL Certificates

Geffers

Linux enthusiast

Retro

Founder

Geffers

Linux enthusiast

GRC | SSL TLS HTTPS Web Server Certificate Fingerprints

Geffers

Linux enthusiast

Retro

Founder

Geffers

Linux enthusiast

Retro

Founder

Geffers

Linux enthusiast

Retro

Founder

Retro

Founder

Geffers

Linux enthusiast

Retro

Founder

Geffers

Linux enthusiast

We value your privacy