HTTPS fingerprints mismatched

  • SpinRite v6.1 Release #3
    Guest:
    The 3rd release of SpinRite v6.1 is published and may be obtained by all SpinRite v6.0 owners at the SpinRite v6.1 Pre-Release page. (SpinRite will shortly be officially updated to v6.1 so this page will be renamed.) The primary new feature, and the reason for this release, was the discovery of memory problems in some systems that were affecting SpinRite's operation. So SpinRite now incorporates a built-in test of the system's memory. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

Ralph

Well-known member
Sep 24, 2020
235
100
I use the HPPTS fingerprints I get off GRC for a small number of sites. I keep the fingerprints in a simple text file for quick access. One of the sites I check every time is CoinBase.com For anyone unfamiliar with it, it is a cryptocurrency exchange- 100% legit and law abiding. I just did a fingerprint of coinbase.com and this is the output:

Domain NameCertificate NameEVSecurity Certificate's Authentic FingerprintClick to view complete certificate chain
coinbase.comcoinbase.comAC:21:4E:90:DE:42:B9:DF:EF:C1:84:46:8A:01:DA:8A:E1:24:98:53

The site's certificate shows:
11:7A:9E:53:1A:1A:84:1A:04:0A:B8:9E:A5:40:95:87:7A:3B:43:4D

It is interesting that for quite a while the site and GRC'c prints were the same. One day maybe 2 weeks ago the mismatch started and still continues. I am guessing that there is something between my computer and Coinbase, something between Coinbase and 'the world', or the most likely, my mistake.

While there has been discussion of how to find a mismatch, I don't think there was any information about what to do if one is found. I would be curious if someone else would fingerprint coinbase and see what fingerprint their certificate shows. If this is a real mismatch as I suspect what if anything can be done to work around it?
 
Here's what I get, same thing:
Domain NameCertificate NameEVSecurity Certificate's Authentic FingerprintClick to view complete certificate chain
coinbase.comcoinbase.comAC:21:4E:90:DE:42:B9:DF:EF:C1:84:46:8A:01:DA:8A:E1:24:98:53

Edit: Forgot to add that I too get the same fingerprint from the website.
 
Last edited:
CoinBase is a Cloudflare customer. You're going to get different results depending on how the Cloudflare service directs you, I presume.

Code:
nslookup:

Non-authoritative answer:
Name:    coinbase.com
Addresses:  2606:4700::6812:70a
          2606:4700::6812:60a
          104.18.6.10
          104.18.7.10

If I plunk 104.18.6.10 into a browser, I get:

PHolder2021Apr27_CloudflareProtectedIP.png
 
  • Like
Reactions: StevenW
Thanks to everyone who responded. The idea of Coinbase showing different fingerprints had crossed my mind, but so far I have limited knowledge about that. I have an account on Coinbase and for now I hesitate to log in just in case.

I will re-read the HTTPS fingerprint page, and if anyone has any links where I can learn more about multiple fingerprints I would greatly appreciate it. Until now I haven't had much reason to read up on this, but apparently the time has come to learn more. I am somewhat relieved that everyone who checked got the same fingerprint I did. At least whatever is going on is not limited to my computer.
 
So it being location base is out the window, but I'm reminded that Cloudflare had to something special to allow IE on XP (I might be wrong on Windows version). If that's going on, then the Fingerprint reader is using TLS settings that Cloudflare is just using a SSL 3.0 compatible cert.

And my site displays an error on the fingerprint site, so that may be the case.
 
What I haven't found yet is a way or place to find out if a site has multiple certificates. I am assuming there is a way to find out or else whenever you run across a fingerprint mismatch you can not be sure if it is an intercepted site or just one with multiple certificates. Eventually if I cannot find out how to check I may ask Steve. Thank you to everyone who replied! I do use Coinbase.com so my question is more than a theoretical question, and hopefully I and others who may have occasion to run into a mismatch will find this useful.
 
If the IE thing is correct, we need someone who is still running XP (and maybe Windows 7) to see if IE comes up with the same cert as Steve's checker. Or someone who knows enough info to fool CloudFlare's servers with OpenSSL's client into thinking we have those versions of IE (I assume it's the supported crypto sent to the servers that trigger what cert you see).
 
Out of curiosity I viewed Coinbase's certificate using the TOR browser running on Windows 10 and got the same 11:7A:9E:53:1A:1A:84:1A:04:0A:B8:9E:A5:40:95:87:7A:3B:43:4D fingerprint. An interesting idea about trying a different version of Windows. I will try logging in using Tails (Linux OS) and see what happens. I am checking the fingerprint right at the home page before entering any login info so at least in this case the cert is not related to any activity other than arriving at and loading their home page.
 
I haven't been in the forum for a while, but while away I logged into Coinbase a number of times. The fingerprint changed to an older one I already had on my list, not the one above. It 'seems' they have multiple certificates that change periodically. If it were randomly using one of a few certificates I would not expect the same one to pop up for weeks at a time as they have been.

This brings me back to the question, is there a way to find out if a site has multiple certificates. I just checked with GRC and the fingerprint shows as:
19:75:F9:3D:3C:87:EA:4E:10:32:E5:EE:10:DE:17:B7:62:4E:66:60 which has changed. I am beginning to think they have multiple certificates but there should be some way to find out or else any mismatch from any web site could be legit or not with no way to find out. I am still uneasy about this since this is a site where I do some business. Any further ideas would certainly be appreciated.
 
I haven't been in the forum for a while, but while away I logged into Coinbase a number of times. The fingerprint changed to an older one I already had on my list, not the one above. It 'seems' they have multiple certificates that change periodically. If it were randomly using one of a few certificates I would not expect the same one to pop up for weeks at a time as they have been.

This brings me back to the question, is there a way to find out if a site has multiple certificates. I just checked with GRC and the fingerprint shows as:
19:75:F9:3D:3C:87:EA:4E:10:32:E5:EE:10:DE:17:B7:62:4E:66:60 which has changed. I am beginning to think they have multiple certificates but there should be some way to find out or else any mismatch from any web site could be legit or not with no way to find out. I am still uneasy about this since this is a site where I do some business. Any further ideas would certainly be appreciated.
Putting the fingerpring inside icode /icode tags :D would help avoid smileys being placed where :D belongs, but that doesn't bother some of us for many reasons and does for other reasons. :D

[Moderator note: Sometimes the moderators fix these things when they see them too ;) ]
 
Last edited by a moderator: