HTTPS fingerprints

[Ralph]

Some time back I posted questions concerning comparing a website's certificate fingerprint to the value obtained using GRC's tool. I've been using that for a few accounts, and the occasional mismatches were always from a renewed certificate. Lately quite a few of those same sites have been coming up mismatched and not from renewed certificates, I always check GRC for that. Not being sure what was going on I posed the question to ChatGPT, asking about fingerprints and man in the middle attacks. Out of the reply it mentioned using SSL checker (SSLShopper com) to check certificates.

I tried a couple of my mismatches on SSLS and everything checks out OK. I am assuming that is correct since I think it unlikely that many of my sites have suddenly fallen to man in the middle attacks. Is anyone familiar with or has used SSLShopper? I am still exploring the services there. Out of curiosity I put GRC com in the searchbox of SSLTest and after a while it came up with an overall rating of "B" due to protocol support and key exchange. What was interesting is that GRC's fingerprint from GRC's checker did not match the output on SSLTest.

With all that said, adding I still don't fully understand things, I have a couple questions concerning how to tell if I am on an actual connection to a website or if there is a man in the middle intercepting comms.

I use Firefox almost exclusively and check it and add ons for updates daily. Can I trust Firefox to notify me of MITM attacks? Sometime back someone mentioned I should stop checking fingerprints since they are being depreciated. If that's the case is there another way detect a MITH? Could SSLLabs com detect a MITM? Is it as simple as looking for the lock symbol in the address bar.... that just seems too easy to trust.

Any links, documents or thoughts would be appreciated. As a final note I tried Nationwide.com in SSLLabs com, one of the 'problem' sites. It showed 2 servers both with A+ ratings even though checking fingerprints don't match. When checking on GRC it gets:

One or more errors were encountered when querying:
nationwide.com

• The SSL/TLS security certificate obtained from the remote server was invalid. The trouble was severe enough that we were unable to obtain the certificate's common name and/or fingerprint. There is a server answering on the HTTPS port 443 of the IP address associated with the domain name you supplied (shown above). But the server may be answering HTTPS as if it was HTTP and returning a web page rather than a proper SSL/TLS setup handshake. (We have encountered this behavior.)

 

[PHolder]

I don't understand how CDN services (like Akamai) are able to use SSL to proxy and cache sites. I wonder if this is what you might be seeing. It feels like changing the fingerprint of a certificate (for example having more than one, one for the source, and a different one for a CDN to use) would be troublesome for HTTPS pinning configurations. (Although I don't know a lot about pinning, beyond the fact that it exists, so maybe there are ways to pin multiple certs for the same site.)

 

[SeanBZA]

Fingerprint will change probably, as each of the CDN servers will have a cert that is signed, but the actual primes used to sign are different across each one, so as to give each one a valid, but slightly different, cert per CDN block, so that one can be eg CDN NA1 and the other CDN NA2.

 

[miquelfire]

CDN services (at least Cloudflare) can work without the server behind them being HTTPS, so your browser would use an HTTPS connection, but the CDN would use an HTTP connection. Even if the server behind the CDN used HTTPS, that cert would not reach the browser.

For HTTPS pinning, all that matters is what your browser connects to, as it has no way of knowing what's going on in the back.

Now the CDN block thing I can see as something happening.

 

[Ralph]

SSLLabs did show more than 1 certificate for Proton*ME
Proton.me has always and still does match GRC. Part of the SSLLabs output follows:


Certificate #1: RSA 4096 bits (SHA256withRSA)

Server Key and Certificate #1
Subject	proton.me Fingerprint SHA256: 58874ad5f400c7028b92c435941267715ce7973e0359c7fa7b7b3d181b547999 Pin SHA256: CT56BhOTmj5ZIPgb/xD5mH8rY3BLo/MlhP7oPyJUEDo=
Common names	proton.me
Alternative names	*.pr.tn *.proton.me *.storage.proton.me pr.tn proton.me
Serial Number	043465513a7ee3becb998f729e3ee19f027b
Valid from	Mon, 20 Feb 2023 13:11:30 UTC
Valid until	Sun, 21 May 2023 13:11:29 UTC (expires in 2 months and 28 days)
Key	RSA 4096 bits (e 65537)
Weak key (Debian)	No
Issuer	R3 AIA: http://r3.i.lencr.org/
Signature algorithm	SHA256withRSA
Extended Validation	No
Certificate Transparency	Yes (certificate)
OCSP Must Staple	No
Revocation information	OCSP OCSP: http://r3.o.lencr.org
Revocation status	Good (not revoked)
DNS CAA	Yes policy host: proton.me issue: letsencrypt.org flags:0
Trusted	Yes Mozilla Apple Android Java Windows

Additional Certificates (if supplied)
Certificates provided	3 (4298 bytes)
Chain issues	None
#2
Subject	R3 Fingerprint SHA256: 67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd Pin SHA256: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
Valid until	Mon, 15 Sep 2025 16:00:00 UTC (expires in 2 years and 6 months)
Key	RSA 2048 bits (e 65537)
Issuer	ISRG Root X1
Signature algorithm	SHA256withRSA
#3
Subject	ISRG Root X1 Fingerprint SHA256: 6d99fb265eb1c5b3744765fcbc648f3cd8e1bffafdc4c2f99b9d47cf7ff1c24f Pin SHA256: C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=
Valid until	Mon, 30 Sep 2024 18:14:03 UTC (expires in 1 year and 7 months)
Key	RSA 4096 bits (e 65537)
Issuer	DST Root CA X3
Signature algorithm	SHA256withRSA

Certification Paths

The GRC tool shows:

proton.me

proton.me

—

57:10:52:21:6F:51:EA:5D:E1:6B9:C4:3C:5E:5F:2B:82:E2:44:C2

If I pull up the fingerprint using Firefox the fingerprint matches GRC. My GUESS (based on nothing) is that something has changed with recently renewed certificates. These mismatches between Firefox and GRC are a fairly recent since they previously matched. I still feel comfortable when GRC and Firefox match, but it now seems if there is a mismatch it 'probably' does not mean anything is wrong. It would be nice to be able to get a definitive match/ mismatch that means exactly that. I've been using the certificate/ GRC fingerprint match on a few accounts, credit card, bank, &C- but now it seems that method is questionable.

 

[PHolder]

did show more than 1 certificate

This is a certificate chain, I think. This implies the 3rd cert signed the 2nd cert which signed the 1st cert.

#1 Subject proton.me
Issuer R3

#2 Subject R3
Issuer ISRG Root X1

#3 Subject ISRG Root X1

 

[EdwinG]

This is a certificate chain, I think. This implies the 3rd cert signed the 2nd cert which signed the 1st cert.

#1 Subject proton.me
Issuer R3

#2 Subject R3
Issuer ISRG Root X1

#3 Subject ISRG Root X1

Your assessment is correct

 

[Ralph]

Can any of this be used to verify you are connected to the site you think you are? Until recently matching fingerprints worked, but now that method seems questionable, at least with some sites.

 

[PHolder]

Well certificates have ALWAYS been a chain of trust. You go to a site, it gives you a certificate, and it probably contains the trust layers your browser might not have. The issue, is that so long as the top of the trust chain ends up at one of the hundred or more certs your browser already contains as trusted, then the whole chain is trusted. This allows governments to get a cert put in the trusted list, and the to potentially abuse it later. This is how enterprise snooping works, they force an enterprise cert into your browser's trusted list, and then they can mint trust certs for ANY site they want.

 

[Ralph]

It sounds as if unless you have a trusted list of certificates for your browser and check that against what is actually in your browser things cannot be trusted. IF that is correct, is there a way to get a copy of the valid certificate list, in my case Firefox?

 

[PHolder]

Here's Firefox's policy on the root CA's https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
Settings, Privacy & Security, Certificates, View Certificates, and then select the tab for Authorities. It doesn't appear to have any export options though. I suspect the pre-supplied ones are compiled into the code, so they might exist in the open source, if one knew where to look.

 

[Ralph]

Thanks for that, I'll check the link. After my last login here I went into Firefox and looked at the certificates. There were quite a few, including 2 or so from China. They may be legit, but it did make me pause a minute or so.

One thing I've noticed lately on some sites is that they have an initial screen saying something like 'Checking your browser's security', sometime followed by a I am human checkbox. Occasionally I get those annoying blurry pictures to identify. I use a VPN so it is expected my machine is not always recognized, and some sites do not like logins from strange countries, often saying something like there is a temporary issue, try later. That I expect and I keep a fixed profile for a few sites to avoid the foreign login issue instead of the usual random country connection.

Most of the sites I check fingerprints on go to a different not much used email address. I have to try using the links provided in the emails and then see if it changes the fingerprints I see. Those links are often quite a bit longer than I use, no doubt providing the site with information- but I'll give it a try out of curiosity.

 

[PHolder]

'Checking your browser's security', sometime followed by a I am human checkbox.

This is mostly a way to stymie bots I think. Cloudflare does this, but other CDNs may as well.

 

[Ralph]

I asked ChatGPT a few questions about fingerprints. It listed some of Firefox's trusted certificate suppliers, not all of cause. Perhaps the most interesting thing it mentioned to check for a 'planted' certificate was simply to try a different browser and see if it complains. I have Chrome and Edge installed but almost never use them. I'll have to let them update and give that a try.

 

[Ralph]

I tried comparing fingerprints between GRC, Firefox, Chrome, and Edge. All were different and none gave any warnings about the site. Interestingly there are still sites that match GRC's fingerprint so whatever the cause of the differences it seems to be on a few and not all the sites I check.