19.10.2020 21:39, Lew Wolfgang пишет:
On 10/19/20 11:27 AM, Andrei Borzenkov wrote:
19.10.2020 20:07, Carlos E. R. пишет:
On 19/10/2020 18.34, Lew Wolfgang wrote:
I believe that MITM interference can be detected by looking at a web site's certificate fingerprint. This link explains:
https://www.grc.com/fingerprints.htm
For example, if you visit that site, you can confirm that it's cert fingerprint is 7A:85:1C:F0:F6:9F:D0:CC:EA:EA:9A:88:01:96:BF:79:8C:E1:A8:33
If it's not, you're looking at that site through a MITM. Thanks, I did not know this.
To check this, go to a page in the list, say <https://www.facebook.com/>, which has fingerprint "14:54:7C:59:19:45:DD:42:40:C2:F6:5E:AC:A1:17:B7:20:F9:C4:38".
Right click (firefox) on empty area of the page, to get "Page Info". Click on tab "security". Click on view certificate. Searching for "C4:38" should find the string - I don't. The SHA-1 I get is "D9:8F:D8:BB:5D:98:AA:06:03:50:50:AC:07:82:6C:2B:D0:1C:EB:9A"
99.999% of information in Internet is valid only under very specific boundary conditions which are never described, mostly because authors are not aware of them themselves.
Look at validity period of Facebook certificate. It was generated a week ago. I doubt the page in question follows every certificate refresh (if any). And even if page is updated now, certificate will be renewed in less than three months.
The GRC site is dynamic, it obtains the current fingerprint when accessed.
What makes you trust some random site to provide correct information? And this site does not even define what "Authentic Fingerprint" is or how it is computed. Assuming it is SHA-1 *certificate* fingerprint - certificate transparency logs have facebook certificates since 2014. The SHA-1 fingerprint listed on this site is not found by searching these lists. I'd rather believe that this site is wrong.
paypal - fail.
It is valid certificate which was issued to www.paypal.com. Who says only one single valid certificate may exist at any given time? And who knows how specific site selects certificate to use for connection request?
I think you're correct here, Andrei. I checked others on the GRC list from a couple of different networks and found three mismatches. facebook.com, blogger.com, and yahoo.com. Maybe it can be safely said that "if" a fingerprint matches there's no MITM, but if they don't match, something else "might" be going on that's not necessarily evil.
facebook, paypal, blogger issue new certificate almost every day (again, as long as I can believe certificate transparency lists). Certificates on this site seem newer than certificates I see when connecting from my location, but that's all. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org