HTTPS fingerprints mismatched

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.
  • Larger Font Styles
    Guest:

    Just a quick heads-up that I've implemented larger font variants of our forum's light and dark page styles. You can select the style of your choice by scrolling to the footer of any page here. This might be more comfortable (it is for me) for those with high-resolution displays where the standard fonts, while permitting a lot of text to fit on the screen, might be uncomfortably small.

    (You can permanently dismiss this notification with the “X” at the upper right.)

    /Steve.

Ralph

Member
Sep 24, 2020
5
0
I use the HPPTS fingerprints I get off GRC for a small number of sites. I keep the fingerprints in a simple text file for quick access. One of the sites I check every time is CoinBase.com For anyone unfamiliar with it, it is a cryptocurrency exchange- 100% legit and law abiding. I just did a fingerprint of coinbase.com and this is the output:

Domain NameCertificate NameEVSecurity Certificate's Authentic Fingerprint Click to view complete certificate chain
coinbase.comcoinbase.comAC:21:4E:90:DE:42:B9:DF:EF:C1:84:46:8A:01:DA:8A:E1:24:98:53

The site's certificate shows:
11:7A:9E:53:1A:1A:84:1A:04:0A:B8:9E:A5:40:95:87:7A:3B:43:4D

It is interesting that for quite a while the site and GRC'c prints were the same. One day maybe 2 weeks ago the mismatch started and still continues. I am guessing that there is something between my computer and Coinbase, something between Coinbase and 'the world', or the most likely, my mistake.

While there has been discussion of how to find a mismatch, I don't think there was any information about what to do if one is found. I would be curious if someone else would fingerprint coinbase and see what fingerprint their certificate shows. If this is a real mismatch as I suspect what if anything can be done to work around it?
 

Tazz

Not my real name.
Sep 18, 2020
48
17
Nova Scotia, Canada
Here's what I get, same thing:
Domain NameCertificate NameEVSecurity Certificate's Authentic Fingerprint Click to view complete certificate chain
coinbase.comcoinbase.comAC:21:4E:90:DE:42:B9:DF:EF:C1:84:46:8A:01:DA:8A:E1:24:98:53

Edit: Forgot to add that I too get the same fingerprint from the website.
 
Last edited:

PHolder

Well-known member
Sep 16, 2020
630
2
308
Ontario, Canada
CoinBase is a Cloudflare customer. You're going to get different results depending on how the Cloudflare service directs you, I presume.

Code:
nslookup:

Non-authoritative answer:
Name:    coinbase.com
Addresses:  2606:4700::6812:70a
          2606:4700::6812:60a
          104.18.6.10
          104.18.7.10

If I plunk 104.18.6.10 into a browser, I get:

PHolder2021Apr27_CloudflareProtectedIP.png
 

Ralph

Member
Sep 24, 2020
5
0
Thanks to everyone who responded. The idea of Coinbase showing different fingerprints had crossed my mind, but so far I have limited knowledge about that. I have an account on Coinbase and for now I hesitate to log in just in case.

I will re-read the HTTPS fingerprint page, and if anyone has any links where I can learn more about multiple fingerprints I would greatly appreciate it. Until now I haven't had much reason to read up on this, but apparently the time has come to learn more. I am somewhat relieved that everyone who checked got the same fingerprint I did. At least whatever is going on is not limited to my computer.
 

miquelfire

I like red!
Sep 26, 2020
42
4
www.miquelfire.red
So it being location base is out the window, but I'm reminded that Cloudflare had to something special to allow IE on XP (I might be wrong on Windows version). If that's going on, then the Fingerprint reader is using TLS settings that Cloudflare is just using a SSL 3.0 compatible cert.

And my site displays an error on the fingerprint site, so that may be the case.
 

Ralph

Member
Sep 24, 2020
5
0
What I haven't found yet is a way or place to find out if a site has multiple certificates. I am assuming there is a way to find out or else whenever you run across a fingerprint mismatch you can not be sure if it is an intercepted site or just one with multiple certificates. Eventually if I cannot find out how to check I may ask Steve. Thank you to everyone who replied! I do use Coinbase.com so my question is more than a theoretical question, and hopefully I and others who may have occasion to run into a mismatch will find this useful.
 

miquelfire

I like red!
Sep 26, 2020
42
4
www.miquelfire.red
If the IE thing is correct, we need someone who is still running XP (and maybe Windows 7) to see if IE comes up with the same cert as Steve's checker. Or someone who knows enough info to fool CloudFlare's servers with OpenSSL's client into thinking we have those versions of IE (I assume it's the supported crypto sent to the servers that trigger what cert you see).