HTTPS fingerprints mismatched

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

Ralph

Member
Sep 24, 2020
17
3
I use the HPPTS fingerprints I get off GRC for a small number of sites. I keep the fingerprints in a simple text file for quick access. One of the sites I check every time is CoinBase.com For anyone unfamiliar with it, it is a cryptocurrency exchange- 100% legit and law abiding. I just did a fingerprint of coinbase.com and this is the output:

Domain NameCertificate NameEVSecurity Certificate's Authentic Fingerprint Click to view complete certificate chain
coinbase.comcoinbase.comAC:21:4E:90:DE:42:B9:DF:EF:C1:84:46:8A:01:DA:8A:E1:24:98:53

The site's certificate shows:
11:7A:9E:53:1A:1A:84:1A:04:0A:B8:9E:A5:40:95:87:7A:3B:43:4D

It is interesting that for quite a while the site and GRC'c prints were the same. One day maybe 2 weeks ago the mismatch started and still continues. I am guessing that there is something between my computer and Coinbase, something between Coinbase and 'the world', or the most likely, my mistake.

While there has been discussion of how to find a mismatch, I don't think there was any information about what to do if one is found. I would be curious if someone else would fingerprint coinbase and see what fingerprint their certificate shows. If this is a real mismatch as I suspect what if anything can be done to work around it?
 

Tazz

Not my real name.
Sep 18, 2020
62
20
Nova Scotia, Canada
Here's what I get, same thing:
Domain NameCertificate NameEVSecurity Certificate's Authentic Fingerprint Click to view complete certificate chain
coinbase.comcoinbase.comAC:21:4E:90:DE:42:B9:DF:EF:C1:84:46:8A:01:DA:8A:E1:24:98:53

Edit: Forgot to add that I too get the same fingerprint from the website.
 
Last edited:

PHolder

Well-known member
Sep 16, 2020
737
2
356
Ontario, Canada
CoinBase is a Cloudflare customer. You're going to get different results depending on how the Cloudflare service directs you, I presume.

Code:
nslookup:

Non-authoritative answer:
Name:    coinbase.com
Addresses:  2606:4700::6812:70a
          2606:4700::6812:60a
          104.18.6.10
          104.18.7.10

If I plunk 104.18.6.10 into a browser, I get:

PHolder2021Apr27_CloudflareProtectedIP.png
 
  • Like
Reactions: StevenW

Ralph

Member
Sep 24, 2020
17
3
Thanks to everyone who responded. The idea of Coinbase showing different fingerprints had crossed my mind, but so far I have limited knowledge about that. I have an account on Coinbase and for now I hesitate to log in just in case.

I will re-read the HTTPS fingerprint page, and if anyone has any links where I can learn more about multiple fingerprints I would greatly appreciate it. Until now I haven't had much reason to read up on this, but apparently the time has come to learn more. I am somewhat relieved that everyone who checked got the same fingerprint I did. At least whatever is going on is not limited to my computer.
 

miquelfire

I like red!
Sep 26, 2020
51
5
www.miquelfire.red
So it being location base is out the window, but I'm reminded that Cloudflare had to something special to allow IE on XP (I might be wrong on Windows version). If that's going on, then the Fingerprint reader is using TLS settings that Cloudflare is just using a SSL 3.0 compatible cert.

And my site displays an error on the fingerprint site, so that may be the case.
 

Ralph

Member
Sep 24, 2020
17
3
What I haven't found yet is a way or place to find out if a site has multiple certificates. I am assuming there is a way to find out or else whenever you run across a fingerprint mismatch you can not be sure if it is an intercepted site or just one with multiple certificates. Eventually if I cannot find out how to check I may ask Steve. Thank you to everyone who replied! I do use Coinbase.com so my question is more than a theoretical question, and hopefully I and others who may have occasion to run into a mismatch will find this useful.
 

miquelfire

I like red!
Sep 26, 2020
51
5
www.miquelfire.red
If the IE thing is correct, we need someone who is still running XP (and maybe Windows 7) to see if IE comes up with the same cert as Steve's checker. Or someone who knows enough info to fool CloudFlare's servers with OpenSSL's client into thinking we have those versions of IE (I assume it's the supported crypto sent to the servers that trigger what cert you see).
 

Ralph

Member
Sep 24, 2020
17
3
Out of curiosity I viewed Coinbase's certificate using the TOR browser running on Windows 10 and got the same 11:7A:9E:53:1A:1A:84:1A:04:0A:B8:9E:A5:40:95:87:7A:3B:43:4D fingerprint. An interesting idea about trying a different version of Windows. I will try logging in using Tails (Linux OS) and see what happens. I am checking the fingerprint right at the home page before entering any login info so at least in this case the cert is not related to any activity other than arriving at and loading their home page.
 

Ralph

Member
Sep 24, 2020
17
3
I haven't been in the forum for a while, but while away I logged into Coinbase a number of times. The fingerprint changed to an older one I already had on my list, not the one above. It 'seems' they have multiple certificates that change periodically. If it were randomly using one of a few certificates I would not expect the same one to pop up for weeks at a time as they have been.

This brings me back to the question, is there a way to find out if a site has multiple certificates. I just checked with GRC and the fingerprint shows as:
19:75:F9:3D:3C:87:EA:4E:10:32:E5:EE:10:DE:17:B7:62:4E:66:60 which has changed. I am beginning to think they have multiple certificates but there should be some way to find out or else any mismatch from any web site could be legit or not with no way to find out. I am still uneasy about this since this is a site where I do some business. Any further ideas would certainly be appreciated.
 

danlock

Well-known member
Sep 30, 2020
159
53
USA
I haven't been in the forum for a while, but while away I logged into Coinbase a number of times. The fingerprint changed to an older one I already had on my list, not the one above. It 'seems' they have multiple certificates that change periodically. If it were randomly using one of a few certificates I would not expect the same one to pop up for weeks at a time as they have been.

This brings me back to the question, is there a way to find out if a site has multiple certificates. I just checked with GRC and the fingerprint shows as:
19:75:F9:3D:3C:87:EA:4E:10:32:E5:EE:10:DE:17:B7:62:4E:66:60 which has changed. I am beginning to think they have multiple certificates but there should be some way to find out or else any mismatch from any web site could be legit or not with no way to find out. I am still uneasy about this since this is a site where I do some business. Any further ideas would certainly be appreciated.
Putting the fingerpring inside icode /icode tags :D would help avoid smileys being placed where :D belongs, but that doesn't bother some of us for many reasons and does for other reasons. :D

[Moderator note: Sometimes the moderators fix these things when they see them too ;) ]
 
Last edited by a moderator: