πŸ”’ : SSL Thumbprint Inspection

This is an article to make people aware that just because you get a padlock in your browser does not mean you’re talking to the original server, the padlock in your browser, there is also a certificate called EV - this stands for extended validation, but it does not mean this certificate issue to your browser is the correct original certificate.

Preface

This post is simply like the matrix, you have two choices:

Blue Pill 

I’m quite happy in my little dream world, take me back to the land of unicorns, pixies, elves, and talking trees…..

Initiate Dreamtime

Red Pill πŸ’Š 

Are you interested in all this SSL stuff? Do you want to know how deep the rabbit hole goes? Have you always wondered about padlock? Would you like to learn about SSL thumbprints?

Excellent, take the pill with that glass of water and continue reading……

 HTTPS Interception

If you send a HTTPS request to your remote website, the proxy server sees this request to terminates the connection there then the proxy server connects to the original host on your behalf, which means your browser thinks it’s talking to the remote server when an actual fact it’s talking to the proxy server, you and your browser, or none the wiser - your browser look for a certificate, and you look for the little padlock.

VPN on open Wi-Fi

If you are using open Wi-Fi always insist on using a VPN which you can pay but choose carefully, or build one yourself - or better yet on the side, menu bar, find my free VPN section and use that - no cost to you, and no strings attached.

Why VPN matters!

If you are not, this could have been the same way open wireless networks, not to mention networks with weak WPA keys, in this situation, you can spoof the access point name and Wi-Fi being lazy will connect to the strongest access point, so if your laptop happens to be called the same name as the Wi-Fi, the other side of the coffee shop, your phone will connect to the laptop not the original Wi-Fi - yes this is spoofing and SSID, if you want to spoof SSID Networks in a vehicle that is called war driving - but I digress.

Corporate environments

If you have a proxy server through your corporate environment this does not have to be a proxy server, many firewalls or gateways, now off of this particular feature, ironically, it falls in the category of “ keeping you secure” when in certain scenarios, this particular service does the complete opposite, 

Depending on who is managing your proxy, HTTPS is particularly helpful for organizations at DLP, malware detection, dangerous script detection, however, as you’ve learned from the bottom of your traffic is intercepted and reestablished dynamically in your browser, that causes a couple of issues, many applications require actual communication with the remote server, so for many applications, you will notice that HTTPS inspection is not supported, however, there’s a high chance that does not stop your company trying to use it, if this is the case, the solution will not work correctly or not work at all.

HTTPS Inspection - is it setup well?

HTTPS inspection only offers very good protection, if it’s set up correctly, for many solutions it’s not just a case of flipping a switch box to enabled, you have some certificates and certificate chains to get correct, then you actually need to set up policies that will protect you and these should be custom to your individual requirements for your corporate environment.

Unfortunately as the end-user, you will not know what has been set up and what instructed it to monitor and analyze, however, that does not mean you cannot detect it’s being used.

HTTPS Inspection πŸ”’ - White Line

This technology is sold as a security benefit. However, it also comes with legal ramifications due to the amount of data you can get from the traffic that would otherwise be invisible, you should not really be inspecting anything to do with health or banking as it crosses quite a few moral lines, however, some companies will choose to do it anyway.

Here you can see the legal warning in TMG


Enabling this feature in your corporate environment, usually requires HR approval, and sometimes compliance due to the nature of how this works, however, let’s face facts here - policies and restrictions will not stop people behaving, insecurely - usually the more you restrict and prohibit some think the more people try and get around it, that doesn’t just apply to technology or security that applies to everything in life

The goal is not to lock them down and restrict them and deny them access to services they need, the goal here is to provide solutions, if you are enabling security feature, that intercepts uses trafficyou need those users to trust what you do with the data you collect, if they don’t users find ways to do it, without your protection and enforcement, and lockdown - I’ve seen this happen far too much.

HTTPS Inspection - How to Tell πŸ’΅

Certificate and Chain check

So, if you think your traffic is being inspected, there are a couple of tests you can do to see if this is the case. Warren is very simple to do and the other is a bit more interesting scientific and technical.

The first test is to visit a website and look at the SSL certificate on the chain, if you are using HTTPS inspection, you will not have a proper certificate chain attached to that certificate, HTTPS was invented to stop people intersect in your communications with a secure channel, protected by public and private key πŸ” 

If you for example, visit Amazon and you noticed that the certificate is trusted by suspiciously looking internal naming convention, or it’s not using an external authority then there is a very high chance. You are talking to a subordinate certificate that can pretend to be other domains and buy definition is trusted in your workplace, meaning you will see the padlock but the thumbprint and chain will be wrong,

HTTPS Inspection :  Test

The whole point of HTTPS inspection is to look for from the security point of view things that aren’t correct with HTTPS traffic, which would mean if the policy is set up correctly, you should only be allowing web traffic through that policy, so if the policy has been turned on to hide behind the shield of “keeping you secure” when more accurately with the truth, it’s more like “keeping checks on what you’re up to” 

You would expect that policy or policies to stop certain types of behavior, unfortunately, if you need to know more about this, you will need to access my restricted blog to view those details, you need an invitation to access that blog, if you would like to amble in that direction click here

SSL Thumbprints

This is how you tell when HTTPS is inspection is being used, if you want to find out, it’s a manual process because he usually people don’t want you to know this is happening, however, life is a journey about self learning and being vigilant so let’s get started…..

Perfect example is to take my blog URL which is https://a6n.co.uk next we need to get some values from the certificate so to do this your can use you browser or the internet, both will be covered here, first these are mine on the current certificate….

My Blog Thumbprint (and more)

MD5 Hash : d7e306246e96196034bdbf66cd8776e7
SHA1 Hash : 560a3a39814b35cff47969dfe9a6a11b86d383d5
SSL Fingerprint: 56:0a:3a:39:81:4b:35:cf:f4:79:69:df:e9:a6:a1:1b:86:d3:83:d5

Reference source : Baseline

Before you embark on, checking the thumbprint, you first need to know what it is, you cannot check it on your normal connection because how do you know what the thumbprint should be - so first you need to establish exactly what the thumbprint should be, also be mindful that when the certificate updates, this thumbprint will also change, so the issued from and the issue too I just as important in this scenario.

I do not advise you to get paranoid about stuff like this, and you don’t need to go out and buy a tinfoil hat to protect your head from mine control device’s it’s not about that, this is simply a reference guide, raising your awareness, as if you know why it is miss matching or why it doesn’t match when you’re at work you can make better calculated decisions.

Just because your security department tell you the traffic is secure and protected is fantastic. Remember companies are protecting themselves from a legal liability point of view, they are not protecting you as the user.

Internet Lookup Method (reference source)

If you wish to look up thumbprint using the Internet in the best way to do it with a site I would recommend called https://crt.sh 

This site I will show you every certificate that’s ever been used on any website, which is helpful because it also tracks if people have let their certificates expire, you can also get quite a bit more information than that, let’s dive in……



The the domain you wish to search for in the box like this, you do not need the https://


That will then return all the certificates used with that domain, as below:



Then click on the required certificate and the thumbprint will be shown as highlighted below:


Browser Lookup method

If you are using your browser, I have outlined a couple of browsers below, however, remember you should not be using Internet explorer what’s the weather you should be using Edge, if you are using Edge, you can follow the same process for Chrome.

Internet Explorer:

  • Right-click somewhere on the page.
  • Select “Properties” at the bottom of the pop-up menu.
  • Click the “Certificates” button on the Properties page.
  • Verify that the “Issued to” name exactly matches a6n.co.uk/www.a6n.co.uk
  • Click the “Details” tab to change views.
  • Set the “Show” selector to “<All>” if it isn't already.
  • Scroll down to the end of the list to “Thumbprint” (which is what Windows calls it).
  • Click on the “Thumbprint” item to select it and show the full thumbprint in the window.


Google Chrome:

  • Click on the padlock at the far left end of the URL address bar.
  • Select the “Connection” tab.
  • Click on “Certificate Information”.
  • Verify that the “Issued to” name exactly matches a6n.co.uk/www.a6n.co.uk
  • Click the “Details” tab to change views.
  • Set the “Show” selector to “<All>” if it isn't already.
  • Scroll down to the end of the list to “Thumbprint” (which is what Windows calls it).
  • Click on the “Thumbprint” item to select it and show the full thumbprint in the window.


Mozilla Firefox:

  • Click on the padlock at the far left end of the URL address bar.
  • Click the More “Information...” button.
  • Click the “Security” icon/tab at the top of the “Page Info” dialog.
  • Click “View Certificate”.
  • Verify that the certificate's name under “Common Name (CN)” exactly matches  a6n.co.uk/www.a6n.co.uk
  • The SHA1 fingerprint is shown under “Fingerprints”.


Apple Safari:

  • Click the [https padlock] icon at the far left end of the URL address bar.
  • Click “Show Certificate”.
  • Click the arrow to expand the “Details”
  • Verify that the certificate's “Common Name” exactly matches a6n.co.uk/www.a6n.co.uk
  • Scroll to the bottom to view the certificate's SHA1 Fingerprint.

Internet Explorer:

  • Right-click somewhere on the page.
  • Select “Properties” at the bottom of the pop-up menu.
  • Click the “Certificates” button on the Properties page.
  • Verify that the “Issued to” name exactly matches a6n.co.uk/www.a6n.co.uk
  • Click the “Details” tab to change views.
  • Set the “Show” selector to “<All>” if it isn't already.
  • Scroll down to the end of the list to “Thumbprint” (which is what Windows calls it).
  • Click on the “Thumbprint” item to select it and show the full thumbprint in the window.


Google Chrome:

  • Click on the padlock at the far left end of the URL address bar.
  • Select the “Connection” tab.
  • Click on “Certificate Information”.
  • Verify that the “Issued to” name exactly matches a6n.co.uk/www.a6n.co.uk
  • Click the “Details” tab to change views.
  • Set the “Show” selector to “<All>” if it isn't already.
  • Scroll down to the end of the list to “Thumbprint” (which is what Windows calls it).
  • Click on the “Thumbprint” item to select it and show the full thumbprint in the window.


Mozilla Firefox:

  • Click on the padlock at the far left end of the URL address bar.
  • Click the More “Information...” button.
  • Click the “Security” icon/tab at the top of the “Page Info” dialog.
  • Click “View Certificate”.
  • Verify that the certificate's name under “Common Name (CN)” exactly matches  a6n.co.uk/www.a6n.co.uk
  • The SHA1 fingerprint is shown under “Fingerprints”.


Apple Safari:

  • Click the [https padlock] icon at the far left end of the URL address bar.
  • Click “Show Certificate”.
  • Click the arrow to expand the “Details”
  • Verify that the certificate's “Common Name” exactly matches a6n.co.uk/www.a6n.co.uk
  • Scroll to the bottom to view the certificate's SHA1 Fingerprint.

Internet Explorer:

  • Right-click somewhere on the page.
  • Select “Properties” at the bottom of the pop-up menu.
  • Click the “Certificates” button on the Properties page.
  • Verify that the “Issued to” name exactly matches a6n.co.uk/www.a6n.co.uk
  • Click the “Details” tab to change views.
  • Set the “Show” selector to “<All>” if it isn't already.
  • Scroll down to the end of the list to “Thumbprint” (which is what Windows calls it).
  • Click on the “Thumbprint” item to select it and show the full thumbprint in the window.


Google Chrome:

  • Click on the padlock at the far left end of the URL address bar.
  • Select the “Connection” tab.
  • Click on “Certificate Information”.
  • Verify that the “Issued to” name exactly matches a6n.co.uk/www.a6n.co.uk
  • Click the “Details” tab to change views.
  • Set the “Show” selector to “<All>” if it isn't already.
  • Scroll down to the end of the list to “Thumbprint” (which is what Windows calls it).
  • Click on the “Thumbprint” item to select it and show the full thumbprint in the window.


Mozilla Firefox:

  • Click on the padlock at the far left end of the URL address bar.
  • Click the More “Information...” button.
  • Click the “Security” icon/tab at the top of the “Page Info” dialog.
  • Click “View Certificate”.
  • Verify that the certificate's name under “Common Name (CN)” exactly matches  a6n.co.uk/www.a6n.co.uk
  • The SHA1 fingerprint is shown under “Fingerprints”.


Apple Safari:

  • Click the [https padlock] icon at the far left end of the URL address bar.
  • Click “Show Certificate”.
  • Click the arrow to expand the “Details”
  • Verify that the certificate's “Common Name” exactly matches a6n.co.uk/www.a6n.co.uk
  • Scroll to the bottom to view the certificate's SHA1 Fingerprint.
Mobile phone lookup method

If you are on a mobile phone, it will change dramatically depending on the many browsers you choose, in this case, I recommend downloading an application, called “TLS Inspector” 


This is a fantastic utility that I use on my iOS devices, this application also does exist on android, what do you have installed the application start it up….



Enter the name of the domain you wish to check the certificate on, then press, enter - the application will then go off and retrieve the certificate and display the results….


This tells you the name of the certificate, which should be the website you’re visiting and the chain, if you tap on the first entry that contains the name of the website and in that window scroll down until you see thumbprints…


This will then confirm the thumbprint, as you can see from above the SHA1 is what you’re looking for, this should match the thumbprint on the reference source.

Why am I checking thumbprints?

The majority of people won’t particularly care about this and it will only apply to the 1% 2% of people that it matters to, I’m interested in stuff like this, so it makes sense to me and I have an interest in it, however, for the 98% or 99% of the rest of people using the Internet, why would you care? Why should you care? And more importantly you don’t have any other options to get to the Internet so you don’t really have a choice, so what does that matter to me?

Security is never ending and for ever-changing landscape, keeping yourself up to date with how exploits happen, and how to to get leaked or breached, when it comes to security it’s always best to be the dumbest guy in the room figuratively speaking, that forces you to learn things you would necessarily overlooked as “ I already know that” in 

The point of posts like this is to raise your awareness, like with the matrix would you like to wake up in your dreamworld or would you like to go down the rabbit hole? - Only you can make that decision 🐍

Evolving, infrastructure security!

In this respect, security with infrastructure is the same as airport security, once upon a time you could go into the cockpit of a plane, you could board a flight with just a simple bag scan, there were no metal detectors, they were no body scan machines, there was no taking your shoes off at the airport along with your jacket and anything in your pockets, not being allowed liquids in flights, pre-security, all those changes have been introduced in the interest of keeping you safe and secure, however, airport security is theatrical, and lots of changes at airports were brought in after something bad happened, not before, many of the security measures involved, people losing their lives to make the next flight safer.

Infrastructure security or cyber security, does not need to be like that, you don’t wait for disaster that happen before you change your behaviors. You have all the tools to be proactive and preventative not reactive to a problem that’s already developing, this does not mean lose your head and go completely paranoid about any traffic or malicious activity that comes into your data center, if you have “move to the cloud” - the point of the cloud is it in the public domain, therefore accessible from outside your company, so don’t be surprised if you get lots of interesting behavior that you might mistake for malicious.



Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„